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Abstract of JP2001 03651 7 
PROBLEM TO BE SOLVED: To provide a 
system to limit access to contents of transmission 
program such as television program. SOLUTION: 
A transmitter or a head end server is used by a 
service provider to transmit encrypted 
programming contents to one or a plurality of 
customers. A program identifier (p) used to 
identify a program is transmitted to the customers 
together with programming contents. Each 
customer uses a set-top terminal or an 
interpretation key to provide a limited access to 
transmission multimedia information as other 
device. The set-top terminal 400 or the like 
receives entitlement information corresponding to 
a package of one or a plurality of programs that 
can normally be received for a period from a 
head end. 
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hzb^mttefh* *w«fc:t5^T, A- 7 ^y 

(4. FifS^ynyyA^'y bT-^y, *47n^A 

(4 1 i L < (4MSW >y y- ^'fcUI-f 4 Z b iPC* t . 
7°ny"yy,(4, r l/ti/'g y<?)xb°y- F'^H^i -5 

xyy^ b;py y F1f«i4. wftiem® 



=5r-fe* * T#*I*F i (4«7f r&17° oln;^ffiu^7 
KxyHt-^-3 OOKtyhh -yyy-5^4 

o o (cyy yn- f^i. z t & . 
[0017] _yny"yA^-fcj;y7°ny"yAiisij^_ 
#SfiynyyA(47°nyyAJf-k p &M^t^y f 

xyF7"-^'-3 0 OtioTHf^fkS^ift. :«7"n 
yy a^t- k p (47° n yy a t^.x- y ^ t cd t h z. 
t tfT% 5 . l»Bi^tfc i x y y ^ 

WLT(4. Xjtt, B. Schneier, Applied Cryptography (2 
d ed. 1997)£E«;S*UO^. Hf^-ftrn^5A^iM 
fttjDi.T . ^-y Fxy F7--A- 3 0 Oit-ty hhv 

yy-s^4 ootnt'7 FynyyAHsij^^ i>m 

fttS. -ti(4. IB'S^ix^xyy^ WHfffifcttt 
■fc >y F F v 7°y- 57-/1-4 0 0 (c i oTfflV^fl, TT" 

P»:StJ:5fc > yny"yA^»n-ri=^t^M? 

[0018] ypyyA^coynyyAtisij^fijo ^ 
ttits h7)flHy^Jll7>,t -it, '/,„i;'!i| 
-f p(4fi*^3SH'ii-S.t0T14^f> o if * L-^HSfiMtfe 

^•c. y n y y AUgij^ P {4 m p e g - 2 tss § 

tltz E C M 7 a -/F F £T3Mff $ tlh 3 2 h" >y F 
^4 i t I> . i co^. fc LH^^S^rn y 
5A^)jEfflJ-— f-T'^Wf . -fe >y F F y7°y-577F 
4 0 0(4IE'lt$ixSfi$^1ffg^^7°nyyAdf-k 
vZ%&c\t tf? & , * uof^T'Bf mt7 ny'y&ZMM 
*t&£o £7°nyyA^r-k p SfflV^ Z. b h . 

[0019] ^mco^m'mzxtui, mwm 
7°nyyA£fflu^^^kh'-y Niorny"yA^-k p 
«amtl vxy-^-mt i L<{4S^Ma 
y > 7V..'x-v y iBlgaSrJiffl-f -S - b iz X o m z b 

■c# s . »Mjgmy yfAA 7 yawt^ini 5: 

iL 0. Goldreich et al ., "How to Construct Random 
Functions, "J. ACM, 33:792-807(1986H;ifEtft£*rO> 

[ 0 0 2 0 ] Mb LT , Bf^Wt-b^f j.TT"$> 0 s ^ 

H : {0,1} ^ {0,1} 2k 

k{4rny"yA^-k p ^§T"fti, 0 

T . A.yyaIlHtt k b" >y 7 U -ffi^JR 0 . 

^$ 2 k w <>f y y -fa^ #5 . ; <T)i\ -y y x mm h « 
ai7j{4k b -y f a-^ y y -ffi^MH 0 1 Hi t i-xmrz 
btfx°%%>„ zzx\ H^vi/j-rmmcD&jjcDii 
m*tt (*«8ffft*./ f ) T"$) y s h {i} (4^ -7 y 

Hj (4Sij^y>A -y y ait m^z b tfi?% & . 

[002 1 ] k = 1 6 0T"J)tl(4\ H(4, AlK, Secure 
Hash Standard, National Institute of Standards an 
d Technology, NIST FIPS PUB 180-1, U. S. Dept. of 
Commerce(April, 1995)tElt$il5 ± 3 5r^^N '7 y 
*«¥SHA-l£ffllvc«s&t££i:#-c#S. 
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■fe, H 0 tiSHA- 1 ( x || 0 ) ££"3, H^iSHA- 
1 (x || 1 ) fc&ft, ZZX\ 0 k Ui*tl?tl4X 0 
£Ob".y hX b U £T 1 Ob>y b-X b 'J y^T'S) 

ft, 

[00 22] 7W7Adf-k p (j; s 7°n7"^AfiS'b? 
P <?»U -f 'J -ilI^r.t7X?-Jf-mt 1 i L<{± 

m&v ^ ■■/ y a raa & 0ii»wfc®ffl-r s - 1 1 «t -> t# 

Sit^f^. Mb LX, 7n/5AJf-k p ll 7° 

n7"7 Atisiff P «#f .y b fitoAM 7- y -et^o 
mmwmmi zuzx^ x%i z t &x-% ft . 

t L7n/7iiglJfp * s n b" .y b frt>mtii£. r 
n7'7 AiiS'ff p Wfcfi&tS t'-y MtftoTTn^ 
Atisff P«n«t' 7 f {iWy^fiWz) \ >y y jtB^S 
Ho^fetiHi^-^jifflSiiS (ft£b-y b^Pjflte 
if-ft) . 

[0 0 2 3] fttt^^-yy^raScHot/tiiH^-^' 
ftfeflf b -y b W ^ 7" U -tt tfl! X V X 9 fcji 
ffl£ilft 0 *<9ftT, I^(n-l) t".y himZti 
mtS L . ^ y is a. H51W o * fc (4 H ! (D-lT&ttJ&t 

b ifiVt ft . 
[»2 3 

(»»■■•) 

[0 0 24] J^Wiot, ^-y KxyKff-A-3 0 
OttBfrtftTn^A t fc t C7n/7 i*f$S'J? P £}M 
fftfto ffiioT, To^"7^liSiJ^P* i '4i.^l.t-fe 
■/ b b 7 7?- 5 77b 4 0 0 iiSfl7°n^"7^^ftlIstt 
ffl^tiftTn^5i^-k p £#&Wi(f&^\ 
T3£0 i o \z , Tn ^5 - k p JiTn 7't> Ai$'hT 
p WW 7- y -ltfcT7^?-^-m(; 1 fc t < l± 

IE-It 3 futx yNWMyf 'If Si^ J; t^ft Liz 7n 
^■'7Afi^ P ^ TO^tffll^Tli^-b 7hf -y7°7 

[0025] ^->yy- 

Alisij^pws-f ty-f(;tot7X^^-m(;i 
' 1 mm m^I0ifHi _HU ftdfcti; 

-) T#ft £ £ # ft . CD k t* «y b cr)~?x 7 
m£fflU&. 7°n^"7AH)jlJ^P^h"-y bixp = 

(Pi P„) fcl/ca^MfctfTS*. iiT, Pi 

fiifcSfjb >y b T A 0 , ft^ffib" >y b £ . TO 7 7 
AfiSff P 7°n 7' 7 A £#tl k p 

(4iaT^> J: 3 fcjgft* ; t & . 

[1*3] 



«,=ff A (...^(^(»))...) 

[0026] /^'yy^ffll 02tjSLfcdf-'yU- 

2 0 0 <7) ± 5 5^=3: n UOWU t y -7 U -T b t 

t a . H 2 t^Lfc^-'y y - 2 o o 

(i. 3t*7 bA^^I>7°n7"7A|i3 l J^P^^I»^ 
Wfcj^iE-rS. H2t7K-fJ;at. V77-^-m^'7 
y-2 0 0CD;b-b2 1 OtffiM^ixS. 7°n7'7Adf 
-k p (4y-77-b'2 4 0-2 4 7(7)j;a^y-77 
- H t^MJiE-t ^ . r y - 7 7 - K 2 4 3 ^7° n 7" 5 A 
-kjtMlStS^f'y^XO 1 lcoXo%m2lZ7sk 

-1-2 1 0/j^A. y-7 7-b 2 4 3^.7)^-7 y-2 0 
OiaLTCVWiij^t. Witf, 24 3?)7W7A 
^f-k p (±. ;b-b2 1 Oi>^£x 7 y (H 0 ) . 7- 
F2 2 0/j^^X7y (HJ , 7- b' 2 3 2j&»6<0 
*x .yy (H,) t fc if ft i 1 1 i -5T#ft i t 
ft, HJfc, H 0 ^'H 1 ^H2(7)^-ySyjt^OT;5lffl$ 
^ft o 7°n^7Adr-k p011 &#ft;t>&i-C#fto 
[0027]fot. 7-b'24 3<7)J;5^7-b'uC0 
yKMi^ )V-Y2 1 0*^7- b"u^ytx<7)X>y 

i^^^^jifeL/ii^fc^^Tv^ft, #7-b'i07 
<;H47°n^7 AUgiJ^ pT'^St-ft i t ft . 7 

-Fu b 1 1 ft ^-7'7 y - i&tfc#> fcWh. 
7- b u 0-9-7*7 y - tts(t«. y - 7 izttmt ft rn / 

5A»8!FFp^'/bS:^-ffe«)t) . T (u) ^'ffl^ 
A>fLft . =¥-7 'J-2 0 0 HfcftSSSS r [Zhtfh ^ 

7-bu(i. aHWra^5AMS!FFp ( Ul 

u r ) Z^L, Ztlt-AZML, -9"7'7y-T (u) fcfe 

(tftv^co7°o^7A<7)^-^lti:-rftit^T# 

ft . 7 - K u TUf 7'7 y - Hfc ft ft V YftW 7°n 7" 7 A 
^-^^A.y^^MIt^ (n-r) 0#»$-frft;t 
OftiTf ft i t #'T"# ft . ^ftWfctt, Jl^^'y 
^aBfflRHoi^iH^ro^AiiSII^pW (n- 
r ) «*«t*7 b ^-fiX^W^-ft J 3 tffl 
V^ft 0 7-buHMJtS-fft7W7Adf-k p 
fi , 7 - b u «t 7"7 y ~{ZH if ft ^7° n 7' 7At 

stsxy^^ b;k77bt Lxmrn-ttzb^x^ 
ft, 

[ 0 0 2 8 ] i Li«icH*W7 yfm^xhti 

{f. i v^°77-7-ft§^7°n7'7 

a^-^^ , y h°77"k p {o, {o, 1} k immyfM, 

mWtX$>&„ i*ltO^TI£SdK, 0. Goldreich et a 
1., "How toConstnici Random Functions," J. ACM, 3 
3 : 792-807 (1986) fca2» $ tlT ^ ft . 
[0029] yXfA3y^y>_ 
H3(i^>y KxyFf-7^3 0 0«7-^f 
-&^7*n-y70T-<feft o ^-ybX7b(i, fyty 

3 y^y b y-7 . y--7';i^ffl^, fJ^ivmm- 
vxmm%. fot^^mi^ikTvy-y zyr'ftmzmm 
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k-t&Zk ffVZ S.MKxy K-tf-A- 3 0 0 l±M 
£|f , IBM Corp. Kfrf S R S 6 0 0 Olf-A-tTH 

S £ t #«? H.MHxyF -tfw ^ 3 0 0 47°p 

%ffi£t&X*:V-%ffiz.&. rn-fe7t-3 10li|i 
-^7n-fe v-tf- LT^ LT t> i < . MMtififrr 

imr^-i X320^ROMt;ltL< (4ffilE<7)^£ 
IBMS^. 7n^.yt-3 1 O^IML. t?f?l. H 

[00 30] 5 lz, T~9m&r>UX3 2 0 

3 5 0^fitS o ^Rif. VX7-^-m(41MJJitf 

coxd izwmth ~ t ttz, txw 5 izmm 

ixnmthio T-tm&r'U X3 2 0(47P 
/5Af-^-^ 5 0 0 4 . 7n/5Af-^ 
^-7 5 0 OI4rn^5AaS!Hf-pt5iV#rn^5A 

3 2 0(4xy7-f F;F7yF'lf$ffi{i7°P-t:7 7 0 0:fc 
j;t/7°P7"7Aiefl7°p^8 0 0*Wf 
[00 3 1 ] HRfc, xy^ F/M y FfffBSmrn 
■^7 7 0 0(±jEffli-ir- , t*ft7 B n^5Atr^-feX 
1-&<ofc&M&&'$Sb1-&^y?4 F/k*yFfiffg£ 
^immi-^o ±ti, 7°n^7A@Sfi7°n-lrX8 0 0 
i± . r n 7? Afisff p trn/7A^ atffl: LMfrt 

[00 32] Mff ;K- F 3 3 0 (4^ 7 KiyKf-A- 
3 0 0£*vF7-7 1 lOCo^", Hlt^Lfc-fe 
«y F F 3 7VF4 0 0 O J; a &^£*WcSlfg£s 

-Hi/eftt^ Fxy b'-tf-ys-3 oo£ 'J y7t-§, 
[0 0 3 3] 04(4, *7bb777-St/H0 0£7) 

■y7°7-57/F4 0 0(1 Witf, rUtygyfcWJB 
«^7fb77?-St;MSTT) fcLTis»& 

ifctf-Cfc*. -fe-y FF>y7°7-S77F4 0 0(4, Ta 
^7f-4 1 0i3itfT-*fE#lgg4 2 0(O«fc-3$:* 

^y-. afi^-h4 3o^fix, H3fcraiUfc±w 
[0034] me^zrmixTxmmt^ x a r- 

7IE1S^m4 2 0(4. T-^fE'i^*4 2 OOT^aT 

SuHifEMt--^ £xy?l h;wyhf-? 

<-x6 0 0^fixl» o iyN FjF77Ft-:?<- 
^6 0 0ti»xy?^ b;Wyf^«7n/5 
A £*T-f 5 7° P 7" 7 ^ * - k p £ ff h tz 46 ^i^r - 

>yy-2 0 0<7)S^-£-§rtf o x-7lE'l§lg4 2 



OJiVN-y^B^HofcH! (44 0) ifc, 
09 Ml LTTWJFf I, i 0 T-7tEtfgM4 
2 0J4x':3-F7°p-t:,X9 0 0£~§-tf o — jRfc, f3- 
F"7°P-fe7 9 0 0(4. Tn^A^-kp 
Sft £ ii£ 7 = a/5i, i|5}i|?- P t j J; c^Ets 5 fi£ x > 7 

m-ftfzmzT'a^y^-k^m^X . Ig^'xy 

F/F7 7F£1r-f.£>TP7'7A£j»M-f £ 0 
[003 5] 05(4. \7FxyFf-A-3 0 0CJ; 

o TiMff § f ls#tp 77 a P ±£fit fg^ tEitrs ru 

/5Ar-^-^5 0 0*^LTV^. i^ffifg(4. 
^■^7°n^7A^W-S^ 0 'y^-y'i5J:V'>pfJE-ri>7°n 
^A|i)?iJ^ptttC Mi(i\ HA«r B 1tSm§ix 
S 0 7°n^7Ar-^^-X5 0 0(41^n-F5 0 5- 

5 2 0^J;3^a^T3-K^ffif#-ri= o iil^(4^ 
iimM : 5:l>7°n^7A^a'3'(t^nT^I> 0 7 ^~ 

5 2 5 fcrn^^A^t J: ^xmm^K^ru 

^y^mmzldLX, 7a^7Af-^^ 5 0 0 
14. 7 ^ 5 3 0 (;T^f07°n7'7A* i M-ri»MJE 
•f S^^'y^-y^TKSr^. 7 3 51/ZXM 

[0036] 06i4H^'xy^^ h;M>-h&*t-|» 

t$>s^-7 l J-2 0 0^M^xy^^ btvxy 

T (u) (47- Ku^;k-btf 

. / - k u m~?y u - 1 a n i u - 7 7 - f 2 4 0 

- 2 4 7 £2f ]6t S 7°n 7? MMm? P<7>^vh%m 
-To 0li.Jfs iLW*#y-7y-K24 0~24 3fc: 
MJCE-fl»4o<7)rn^7ASrgfi-ri»-t(;KLTxy 

#(4. 7— F 2 2 0 CMJtE-f S ^ral^f-* 1 1 * § £ 1 1 

zwmz&^x . mm^yy^mmn.tH, 

(440) IMmzm tX . 7- F 2 2 0 <7)+>-7"7 U - 
ttS(t«#y-b*2 3 0, 2 3 2. 2 4 0-2 4 3 
LT7°n7'7Adf-k p ^#|,Jttotffl^| ) ^t^T'^ 

[0037] 06T'*L/ixy7-f h;M7 Fr'-7< 
-7600(4. U-77-F240— 24 3£*fJ&f4 
Ho<7)7n7'7A^gfff l>IESJ-— y*-T"fe 0 (xy 
7>f hf^yhmi) . U-77-F24 6- 

fi!oT, xy7^ F/F7yFr-7^-X 

6 0 0tlEiSSn/Sxy7-f F;F7yh'|fffg(4. 7-F 
220t7-F2 3 6(;MJ£t"l>4irB^-* 1 fe^l>o 7 
-F2 2 0. 2 3 6^il-? ; 'iltML. xy7-f F^7y 
Fx-^<-76 0 0tfBii$^xy7^ F^77F 

K t 7n 77 AW \° -y 7- v\££r5\ itx y ^ >f F IV 



[0 0 3 8] 7'0/7AA"7^-yy/ 

ny'y A^^r >y h iztt &xy y MM y h £51 
[0 0 3 9] A-'^-ySt^xy^^ HWVb 

fpg(±, t (s) ^y-Htfc^rffifts^^r^- 

Wr-y hkiT'£>& 0 ±"CSi?tJ: 3 ;<7)^-<7)-b-y 
Mc£ 9, -fey b WT^-S^/M 0 0#jEB£S 

hSfc*tt$xy:M MM yMPR£o< 
[0 0 4 0] Tn-fex 

.Bfic?) i o t , ^ „ hx y H -9--; \'- 3 0 0 (20 7 C^ 

Lfcxy^>( mm v hmmmrv-tz 7 0 0 

i,z%x--~ f-izb ot^xyN MMyhr-? 
^-x6 0 0^4^LISfftl»» ffifefcoi'Sfc, xy? 
-f MMy hr-?<-.X6 0 omiS^iEaJ-— f- 
X'fohTuy^MzftLX. rn/5A#-k p ift4 
^^^= 5 f-7U-2 0 0£0#y-Kt:MLT, MJEE 

i 

[004 i]ffot, xy^^f MM y Mf ffflfirn 
«7 0 0(±4-f , ll^'iifKL/STn^^A^ii^ 
4(710). xyN MMyMffggftI 

7°n^X7 0 0(i7U-y-K^ft/J^-ybT ( S ) £ 
jiottS. •f^7'7 l J-(aIE5i(;^-^'y h-fe-y hS 
^-^'•y h-fe-y hS(i. ay^af< 
7'7° n y 7 mS&l- P ?)tt*T Uya^yh^yf- 
^V^b^m^tlh (72 0) . ~O£0Tn^5A^giJ 
7 p it . WM -f U -fBSfc*ff SgtR#:3 y-fe^ 
T 4 7X-$) &*g£ t s 3 * af 4 7' b #y £>ix& . 

[0042] -f-LT, #a-t ( s ) y?-^> 

fcMLTMt^tll, (7 3 0) . ttj^-cD-fevbk 

i fc#>fy^->^KciN-«^'?-T (s) coy- Ft 

Tf^^ixl-MJC^Sai^WTn^^A^'J^P^W 
£tll> (740) . ISC, 4j£3tl^x^>fh^ 
y bfif fgj&fvy Fxy F^-y\-3 0 0 [Z i^T-fe >y h 
N7T^-5t;H00^^yn-K§ll (7 5 
0 ) , 7°n^"^i,$[W^7t'l> ( 7 6 0 ) . 
[0 0 4 3] ?—¥v b-fe-y bStiSffM yy-A,^ 

y&iii (s) fc-r-S^t^T^S. ntoyy-y-F 
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[84] 

)=5,^o s |Z| IJ*/J% 

co^-y -T-rn y 7 Afisff P com-^ y ? -t <mz 

ftthW-T (S) Itmm-htzibiZ, I2n^- 

i yU-2 0 0tl?I*»!3r('WUFSrfe*v\ i^t, iy? 

4 mm y htpgiafirn-fey 7 o ocommmm^n i 

(S) ■ n^-^'-t^l.. NSC ft/MA-T 

(S)c^§£tx, I (S) ■ iKttfr-^-fc&i. H 
ji-rs^^rny7Ai±f)W(;^n^S:^°-yy--y' 
yy-t £ r t zm&zi-z>Tu?ymmpm ] o% 

y'ii. K'-y h7°lx7^ -y^X^^^rfS^T^rn^^ 
[0044] icoi 3 ^riji-h f >y ?^y y-y'^xy 

^>f h;wyMt ^f—yu-2 0 0Hfc(tl>#-t 7 ) d r 
v;^be.y^y^yy-y^i[j{tfflii 

fflf«l±*te , h t -y ^ >y y- >?3&» t * S m « 

<7) h t° -y ^ ^f-fo-fc >y h rfc 5 . ^mzm 

V\ 7°1^7^ ■yy'y^Hj;0S?ESill»^ o 'yy--^i2R] 

h X 3 t-fe 7 h h 7 ry- 5 ^;P4 o o tMLTS^L 

[004 5] JJaE^iat, FxyKf-^-30 
0J±, H8^-t7°ny7ASfiTn^y8 0 0 Sr^ff 
L . y n y y a ius ij7 P ^ ffl v y n y 7 a & iiij! l }M 
frW^ty ynyyAtyy^-^-mtfjDST 
^ii^yp y y M,mmT p ts^^-cr d y y a^- k 
p*#s. ynyyAgsffyn^y80 oia, *i^c?m 
fixx-y7mT'i2. ?i-7yj y^immmxmft 

h^t\±mmx%h, msiz^tkolz, yny^AE 

fiyn-try 8 o Qimm-^Tvrj&zmn-t&z. 

(810), 

[0046] -f-cofct, ynyy ami yn^y 8 o o 

(2TayyAT-^<-X5 0 0frt><7)7n?JJ*iZjtt 

m-hmyyj*miM=Fp*M t )iiii (82 o) , 

(830) . ^LTynyyA(i|rrt7)yT'y7T"im$ 

n/synyyAdf-k p ^ffl^THt^LSiii> (84 
0) . Mt, ynyyAEfl7°n-fey8 0 0{2. 7°n 
^7A^rj^p 1 1 1> tm^t§^7n/5 A^3Sff 

L (850) . ynyyA$ijfp^*Tt-|> ( 8 6 o ) „ 
[0047] yny'y AUSij^pti, yoyyAfpgco 
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mmzmix, mmtiMyfi-v-'fztixmmtz 

ZktfZt , 7n^7^©if^*;^I§«L, 
To 7" 7 A * »if t"l> tz&m%7u 7" y A*- k p £ 
f#l> i t «&fc -tS £ t (iSSTifc h . g'joHttflfc: 
fcWt , 7o^5^iffp fiBarkerf-^/l^J: 5 & 

[0 0 4 8] ±M<JDi 3 t7bf777-5tM 
0 0(2H9^L7tx3-K7°n-t:X9 OOfc^gfrU 
7W?A^-k p H#l>^»trJBM$ti7>xy7^ b 
/My Mffg6 0 OfciVgfl 5tl^7°n^"^A|i^ 
p £ffli^T . * <7)7°n7"7 A £jJ?grtS fcftfcTn ^7 
A*-k p £fflivcrogtfxy$»f b/Wyf3iiT^ 

Tn-te7 9 0 0(±#g^^y*;Pt^^-xy^§-tJ: 

n-fcxiHBWS (9 10) . 
[0049] *<9»fc , -fe >y h b 7 7° 7 ■ 5 -)r)VA 0 0 
iiBfrfft £ ti£ 7W 7 A i; ifmt S ;fi£7 W 7 A 

mftv it^mmm^^mh (92o)„f3 

— h'7"£M*X9 0 0(ixy?>f WM> bT-:^<-X 

6 0 0*^IB1t§*ifcxy^>f MMyhfiffg£iK9ft 
■f ( 9 3 0 ) . mm%KtzTu7'7&Z^tsfr}i*>fr* 
Wrti (940) . tt^T77°940(CT^firn 

ABM'J? p y h >J -#x yNWWyhf 

-?<-X6 0 0fcT#4L^fc«T$toy§i^ H 
St(4aiR5^fc7*n^5A t*rrsxy^>f h/M y 
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I , Title of iBTentioD 

Method and System For Tiansmittinf A Program Ha v i a g Restricted Access 
to An End-user 
Z. Claims 

1 ■ A method for transmitting a program having restricted access to an end- 

user, said method comprising the steps of: 

assigning a program identifier to said program, said program identifier 
having a binary value, 

defining at least one master key; 

encrypting said program using a program key, said program key obtained 
by applying at least one hash function to said master key based on a binary value of said 
program identifier, and 

transmitting said encrypted program together with said program identifier 
to said end-user. 

2. The method according to claim 1, wherein said program identifiei 

consists of n bits, and one of said hash functions is applied for each of the n bit positions 
of the program identifier depending on the corresponding bit value of the program 
identifier. 

3 - The method according to claim 1, further comprising the step of 

providing entitlement information to said end-users based on the set of programs 
obtained by said end-user 

4. The method according to claim 3, wherein said entitlement information 

includes a portion of a key tree based on the set of programs obtained by said end-user. 

5 The method according to claim 3, wherein said end-user uses said 

received program identifier to derive said program key from said stored entitlement 
information. 

6. The method according to claim 1, wherein said program identifier is 

interleaved with the transmission of said encrypted program. 
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7. The method according to claim 1, wherein said program identifier is 
transmitted on a control channel. 

8. A method for transmitting a program to a plurality of end-users, said 
method comprising the steps of: 

encrypting said program using a program key, said program having a 
program identifier, said program key obtained by recursively applying a hash function to 
a master key based on the binaty value of each bit position of said program identifier, 
and 

transmitting said encrypted program and said program identifier to said 

9. The method according to claim 8, wherein said program identifier 
consists of n bits, and a hash function is applied for each of the n bit positions of the 
program identifier depending on the corresponding bit value of the program identifier. 

10. The method according to claim 8, further comprising the step of 
providing entitlement information to said emi-users based on the set of programs 
obtained by said end-user 

1 1 The method according to claim 10, wherein said entitlement information 

includes a portion of a key tree based on the set of programs obtained by said end-user. 

12. The method according to claim 10, wherein said end-user uses said 
received program identifier to derive said program key from said stored entitlement 
information. 

13. The method according to claim 8, wherein said program identifier is 
interleaved with the transmission of said enciypted program. 

14. The method according to claim 8, wherein said program identifier is 
transmitted on a control channel 
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15. A method for transmitting a program associated with at least one package 
of programs to a plurality of end-users, said method comprising the steps of 

providing entitlement information to said end-users based on the set of 
programs obtained by said end-user, 

encrypting said program using a program key, said program having a 
program identifier, said program key obtained by recursively applying a hash function to 
a master key based on the binary value of each bit position of said program identifier; 

transmitting said program identifier with said encrypted program to said 
end-users, said end-users deriving said program key from said stored entitlement 
information if said end-user is entitled to said program. 

16. The method according to claim 15, wherein said program identifier 
consists of n bits, and one of said hash functions is applied for each of the n bit positions 
of the program identifier depending on the corresponding bit value of the program 
identifier. 

17. The method according to claim 1 5, wherein said entitlement information 
includes a portion of a key tree based on the set of programs obtained by said end-user. 

18. The method according to claim 15, wherein said end-user uses said 
received program identifier to derive said program key from said stored entitlement 
information. 

19. The method according to claim 15, wherein said program identifier is 
interleaved with the transmission of said encrypted program. 

20. The method according to claim 15, wherein said program identifier is 
transmitted on a control channel. 
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21 ■ A method for decoding an encrypted program, said method comprising 

the steps of: 

receiving entitlement information ftom a provider of said program, said 
entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer; 

receiving said encrypted program and a program identifier, said encrypted 
program encrypted with a program key; 

deriving said program key from said program identifier and said stored 
portion of said key tree; and 

decrypting said encrypted program using said program key. 

22. The methud according to claim 21, wherein said program identifier 

consists of n bits, said master key is placed at the root of said key tree and said key tree 
is generated by applying a hash function to each node, until n tree levels have been 
created. 

23 ■ A method for decoding an encrypted program, said method comprising 



receiving entitlement information from a provider of said program, said 
entitlement information including at least one intermediate key from a key tree based on 
a set of programs obtained by said customer; 

receiving said encrypted program and a program identifier, said encrypted 
program encrypted with a program key; 

deriving said program key from said program identifier and said stored 
intermediate key by recursively applying a hash function to said intermediate key based 
on the binary value uf said program identifier, and 

decrypting said encrypted program using said program key. 
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24. The method accoiding to claim 23, wherein said program identifier 
consists of n bits and said intermediate key corresponds to an intermediate node at a 
level r of said key tree, and wherein said hash function is applied to said intermediate key 

25. A system for transmitting a program having restricted access to an end- 
user, said system comprising: 

a memory for storing a master key and computer readable code; and 

a processor operatively coupled to said memory, said processor 

configured to: 

assign a program identifier to said program, said program identifier 
having a binary value; 

define at least one master key; 

encrypt said program using a program key, said program key obtained by 
applying at least one hash function to said master key based on a binary value of said 
program identifier; and 

transmit said encrypted program together with said program identifier to 

said end-user. 

26. A system for transmitting a program having restricted access to an end- 
user, said system comprising: 

a memory for storing a master key and computer readable code; and 

a processor operatively coupled to said memory, said processor 

configured to: 



encrypt said program using a program key, said prosram having a 
program identifier, said program key obtained by recursively applying a hash function to 
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a master key based on the binary value of each bit position of said program identifier; 
and 

transmit said encrypted program and said program identifier to said end- 

27. A system for decoding an encrypted program, said system comprising: 

a memory for storing a master key and computer readable code; and 
a processor operatively coupled to said memory, said processor 



receive entitlement information from a provider of said program, said 
entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer; 

receive said encrypted program and a program identifier, said encrypted 
program encrypted with a program key; 

derive said program key from said program identifier and said stored 
portion of said key tree; and 



28. An article of manufacture comprising: 

a computer readable medium having computer readable code means 
embodied thereon, said computer readable program code means comprising. 

a step to assign a program identifier to a program, said program identifier 
having a binary value; 

a step to define at least one master key; 



(2 1) B2 001-36517 (P2001-36517A) 



a step to encrypt said program using a program key, said program key 
obtained by applying at least one hash function to said master key based on a binary 
value of said program identifier; and 

a step to transmit said encrypted program together with said program 
identifier to said end-user. 



29 An article of manufacture comprising: 

a computer readable medium having computer readable cods means 
embodied thereon, said computer readable program code means comprising: 

a step to receive entitlement information from a provider of a program, 
said entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer, 

a step to receive said encrypted program and a program identifier, said 
encrypted program encrypted with a program key; 

a step to derive said program key from said program identifier and said 
stored portion of said key tree, and 

a step to decrypt said encrypted program using said program key 



3. 



Detailed Description oi Invention 
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F i dd of the . I nv ention 

The present invention relates generally to a system for restricting access to 
transmitted programming content, and more particularly, to a system for transmitting an 
encrypted program together with a program identifier which is used by a set-top 
terminal, together with stored entitlement information, to derive the decryption key 
necessary to decrypt the program 



As the number of channels available to television viewers has increased, along 
with the diversity of the programming content available on such channels, it has become 
increasingly challenging for service providers, such as cable television operators and 
digital satellite service operators, to offer packages of channels and programs that satisfy 
the majority of the television viewing population The development of packages that 
may be offered to customers is generally a marketing function. Generally, a service 
provider desires to offer packages of various si?es, from a single program to all the 
programs, and various combinations in between. 

The service provider typically broadcasts the television programs from a 
transmitter, often referred to as the "head-end," to a large population of customers. 
Each customer is typically entitled only to a subset of the received programming, 
associated with purchased packages In a wireless broadcast environment, for example, 
the transmitted proj^aruining can be received by anyone with an appropriate receiver, 
such as an antenna or a satellite dish Thus, in order to restrict access to a transmitted 
program to authorized customers who have purchased the required package, the service 
provider typically encrypts the transmitted programs and provides the customer with a 
set-top terminal (STT) containing one or more decryption keys which may be utilized to 
deciypt programs that a customer is entitled to. In this manner, the set-top terminal 
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receives encrypted transmissions and decrypts the programs that the customer is entitled 
to, but nothing else. 

In order to minimize piracy of the highly sensitive information stored in the set- 
top terminals, including the stored decryption keys, the set-top terminals typically 
contain a secure processor and secure memory, typically having a capacity on the order 
of a few kilobits, to store the decryption keys. The secure memory is generally non- 
volatile, and tamper-resistant. In addition, the secure memory is preferably writable, so 
that the keys may be reprogrammed as desired, for example, for each hilling period. The 
limited secure mcmoiy capacity of conventional set-top terminals limits the number of 
keys that may be stored and thereby limits the number of packages which may be offered 
by a service provider It is noted that the number of programs typically broadcast by a 
service provider during a monthly billing period can be on the order of 200,000, 

In one variation, conventional set-top terminals contain a bit vector having a bit 
entry corresponding to each package of programs offered by the service provider. If a 
particular customer is entitled to a package, the corresponding bit entry in the bit vector 
stored in the set- top terminal is set to one ("1"). Thereafter, all programs transmitted by 
the service provider are encrypted with a single key. Upon receipt of a given program, 
the set-top terminal accesses the bit vector to determine if the corresponding bit entry 
has been set. If the bit entry has been set, the set-top terminal utilises a single stored 
decryption key to decrypt the program. While, in theory, flexibility is achieved in the bit 
vector scheme by providing a bit entry for each package (a package generally consists of 
one program), th* length of the bit vectoi would be impractical in a system transmitting 
many programs in a single billing period. In addition, access control in such a system is 
provided exclusively by the entries in the bit vector and is not cryptographic. Thus, if a 
customer is able to overwrite the bit vector, and set all bits to one ("1"), then the 
customer obtains access to all programs. 

In a further variation, programs are divided into packages, and all programs in a 
given package are encrypted using the same key. Again, each package typically 
corresponds to one television channel. The set-top terminal stores a decryption key for 
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each package the customer is entitled to. Thus, if a program is to be included in a 
plurality of packages, then the program must be retransmitted for each associated 
package, with each transmission encrypted with the encryption key corresponding to the 
particular package. Although the access control is cryptographic, the overhead 
associated with retransmitting a given program a number of times discourages service 
providers from placing the same program in a number of packages and thereby limits 
flexibility in designing packages of programs. 

While such previous systems for encrypting and transmitting programming 
content have been relatively successful in restricting access to authorized customers, they 
do not permit a service provider, such as a television network, to offer many different 
packages containing various numbers of programs to customers, without exceeding the 
limited secure memory capacity of the set-top terminal or significantly increasing the 
overhead. United States Patent Application Serial Number 08/912,186, filed August 15, 
1997 and assigned to the assignee of the present invention, heieinafter referred to as the 
"Vspace System," discloses a cryptographic method and apparatus for restricting access 
to transmitted programming content. 

Each program in the Vspace System is encrypted by the head-end server prior to 
transmission, using a program key, K P Bach of the program k^ys is a linear combination 
of a defined set of master keys, M. A program identifier identifying the program is 
transmitted with the encrypted programming content, the customer's sot-top terminal 
can derive the decryption key from only the received program identifier, p, and 
previously stored entitlement information. The Vspace System provides a cryptographic 
access control mechanism, while pei milting flexible packages (since the program docs 
not need to be retransmitted for each assorted package) without significantly extending 
the program header (only the program identifier is transmitted with the program). 



Generally, encrypted programming content is transmitted by a service provider 
using a transmitter, or head-end server, to one or more customers. According to one 
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aspect of the invention, a program identifier, p, used to identify the program is 
transmitted to the customer with the programming content Each customer has a set-top 
terminal or another mechanism to restrict access to the transmitted multimedia 
information using decryption keys. The set-top terminal receives entitlement 
information from the head-end, corresponding to one or more packages of programs that 
the customer is entitled to for a given period. 

Hach program is encrypted by the head-end server prior to transmission, using a 
program key, K. P , which may be unique to the program. In addition to transmitting the 
encrypted program, the heau-enu server transmits the program identifier, p, to the set- 
top terminal. The set-top terminal uses the received program identifier, p, together with 
the stored entitlement information, to derive the decryption key necessary to decrypt the 
program. In this manner, if a customer is entitled to a particular program, the set-top 
termiiial will be able to derive the encrypted program key, Kp, using the stored and 
received information, and thereafter use the program key, Kj>, to decrypt the encrypted 
program. In various embodiments, the program identifier, p, can be interleaved with the 
program portion or transmitted on a separate dedicated control channel. 

According to one aspect of the invention, each of the A-bit program keys, K fl 
used to encrypt transmitted programs is obtained by applying one or more pseudo- 
random hasli functions, H, to a master key, m. In one implementation, a length-doublinp, 
hash function, H, is utilized. Thus, the hash function, II, takes a *-bit binary value and 
produces a binaiy value having a length of 2k. The output of the hash function, H, can 
be represented as a pair of A-bit binary values, Ho and Hi, where Ho is referred to as the 
left half of the output of the hash function, and Hi is the right half of the output of the 
hash (unction. 

In an illustrative implementation, a program key, K,,, is obtained by recursively 
applying a hash function. Ho or H,, to the master key, m, depending on the 
corresponding binary value of each bit position of the program identifier, p. Thus, if the 
program identifier, p, consists of n bits, one of the hash functions, Ho or H,, is applied 
for each of the n bit positions of the program identifier, p, depending on the 



(26) B2 001-36517 (P2001-36517A) 



5 Bteichen'uacher 1-8 

corresponding bit value of the program identifier, p. Initially, one of the hash functions. 
Ho or Hi, is applied to the master key, m, depending on the binary value of the most 
significant bit of the program identifier, p. Thereafter, for each of the remaining (n-1) bit 
positions, one of the hash functions, H 0 or Hi, is applied to the result of the previous 
hash operation, depending on the binary value of the corresponding bit. The calculation 
of the program key, Kp can be represented as follows: 

The hash operation can be represented in terms of an n-level binary tree, T, 
referred to as the key tree, with the master key, m, placed at the root of the tree. The 
tree is generated by applying the hash functions Ho and Hi to each node, until the desired 
number of tree levels (n) have been created. The program keys, K,, correspond to the 
leaf nodes at the bottom level of the tree. The binary index (and likewise the program 
identifiers, p) associated with each prosram key, Kp, corresponds to the path through the 
key tree from the root to the desired leaf node Thus, the index or label of a given node, 
u, is the concatenation of the labels on the edges on the path from the root to the node u. 
T(u) denotes the subtree rooted at node u, or the set of program identifiers, y, 
corresponding to the leaves in the subtree of node u. For an internal node, w, at depth r 
in the key tree, with a partial program identifier, p, (u,, ... , u r ), the keys of any program 
in the subtree T(u) can be computed by activating the hash function n - r times. 

A more complete understanding of the present invention, as well as further 
features and advantages of the present invention, will be obtained by reference to the 
following detailed description and drawings. 

Brief Descrin tion of the Drawings 

FIG. 1 is a schematic block diagram illustrating a system for transmitting 
encrypted programming content in accordance with one embodiment of the present 
invention; 
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FIG. 2 is a conceptual representation of an exemplary key tree in accordance 
with the present invention; 

FIG. 3 is a schematic block diagram of an exemplary head-end server of FIG. 1; 

FIG. 4 is a schematic block diagram of an exemplary set-top terminal of FIG. 1; 

FIG. 5 illustrates a sample table from the program database of FIG, 3; 

FIG. 6 illustrates a sample table from the entitlement database of FIG. 4; 

FIG. 7 is a flow chart describing an exemplary entitlement information 
distribution process as implemented by the head-end server of FIG. 3; 

FIG. 8 is a flowchart describing an exemplary program distribution process as 
implemented by the head end server of FIG 3; and 

FIG. 9 is a flowchart describing an exemplary decode process as implemented by 
the set-top terminal of FIG. 4. 



FIG. 1 shows an illustrative network environment for transferring encrypted 
multimedia information, such as video, audio and dati, frum a service provider using a 
transmitter, such as a head-eud server 300, discussed further below in conjunction with 
FIG. 3, to one or mors customers having set-top terminals 400-401, such as the set-top 
terminal 400, discusseu further below in conjunction with FIG. 4, over one or more 
distribution networks 1 10. As used herein, a set-top terminal includes any mechanism to 
restrict access to the transmitted multimedia information using decryption keys, 
including, for example, a computer configuration or a telecommunications device. It is 
possible for software executed by the set-top terminal to be downloaded by the service 
provider. The distribution network 110 can be a wireless broadcast network for 
distribution of programming content, such as a digital satellite service ("DSS™"), or a 
conventional wired network, such as the cable television network ("CATV"), the Public 
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Switched Telephone Network ("PSTN"), an optical network, a broadband integrated 
services digital network ("ISDN") or the Internet. 

According to a Feature of the present invention, the set-top terminal 400 
intermittently receives entitlement information from the head-end server 300, which 
permits a customer to access programs that the customer is entitled to for a given time 
interval, such as a billing period. As used herein, a package is a predefined set of 
programs, and a given program can belong to one or more packages. A program is any 
continuous multimedia transmission of a paiticuiar length, such as a television episode or 
a movie. The entitlement information can be downloaded from the head-end server 300 
to the set-top terminal 400 using any suitably secure uni-directional or Li-directional 
protocol, as would be apparent to a person of ordinary skill 

PROGRAM KEYS AND PROGRAM IDENTIFIERS 

As discussed further below, each transmitted program is encrypted by the head- 
end server 300 using a program key, KV, which may be unique to the program. For a 
detailed discussion of suitable encryption and security techniques, see B. Schneier, 
Applied Cryptography (2d ed. 1997), incorporated by reference herein. In addition to 
transmitting the encrypted program, the head-end server 300 also transmits an n-bit 
program identifier, p, to the set-top terminals 400, which may be utilized by the set-top 
terminal 400, together with stored entitlement information, to derive the decryption key 
necessaiy to decrypt the program, in a manner described further below. As discussed 
below in a section entitled ASSIGNING PROGRAM IDENTIFIERS TO PROGRAMS, 
the program identifiers, p, are not chosen arbitrarily. In one preferred embodiment, the 
program identifier, p, consists of a thirty-two (32) bit value that may be transmitted, for 
example, in the ECM field defined in the MPEG-2 standard. In this manner, if a 
customer is entitled to a particular program, the set-top terminal 400 will be able to 
derive the program key, K P , from stored and received information, and thereafter use the 
program key, K>, to decjypt the encrypted program. 
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According to a further feature of the present invention, each of the A-bit program 
keys, Kp, used to encrypt transmitted programs is obtained by applying one or more 
pseudo-random hash functions to a master key, m. For a detailed discussion of suitable 
pseudo-random hash functions, sec, for example, O. Goldreich et al., "How to Construct 
Random Functions," J. ACM, 33:792-807 (1986), incorporated by reference herein. 

In one implementation, a crytograpbically-secure, length doubling, hash function 
is utilized, as follows: 

ff:{0.1}'-»{0,i}», 

where, k is the length of the program key, K p . Thus, the hash function, H, takes a A-bit 
binary value and produces a binary value iiaving a length of 2k. The output of the hash 
function, H, can be represented as a pair of *-bit binary values, Ho and H,, where Ho is 
referred to as the left half of the output of the hash function, H (most significant bits), 
and Hi is the right half of the output of the hash function, H (most significant bits). Ho 
and H] can be said to be separate hash functions. In one illustrative implementation, 
when k equals 160, H could be defined by using the secret hash standard, SHA-1, as 
defined in Secure Hash Standard, National Institute of Standards and Technology, N1ST 
FfPS PUB 180-1, U.S. Dept. of Commerce (April, 1995), incorporated by reference 
herein. In other words, Ho equals SHA-1 (xj|0), and Hi equals SHA-1 (jcJlX where 0 and 
1 are all-zero and all-one bit strings, respectively. 

According to a further feature of the present invention, a program key, Kp, is 
obtained by recursively applying one or more hash functions to the master key, m, 
depending on the binaiy value of the program identifier, p. In one implementation, the 
program key, K,,, is obtained by recursively applying one of the hash functions, Ho or Hj, 
to the master key, m, depending on the binary value of each bit position of the program 
identifier, p. Generally, if the program identifier, p, consists of n bits, one of the hash 
functions, Ho or Hi, is applied for each of the n bit positions of the program identifier, p, 
(starting with the most significant bit) depending on the corresponding bit value of the 
program identifier, p. Initially, one of the hash functions, Ho or H,, is applied to the 



(30) B2 001-36517 (P2001-36517A) 



9 Bleichenbacher 1-8 

master key, m, depending on the binary value of the most significant bit. Thereafter, for 
each of the remaining (n-1) bit positions, one of the hash functions, Ho or H[, is applied 
to the result of the previous hash operation, depending on the binary value of the 
corresponding bit. As discussed below in a section entitled THE KEY TREE, the hash 
operation can be represented as follows: 

("»■■•). 

As previously indicated, the head-end server 300 will transmit the program 
identifier, p, with the encrypted program. Thus, given the program identifier, p, the set- 
top terminal 400 must obtain the program key, Kp, used to decrypt the received 
program. As previously indicated, the program key, Kj>, is obtained by recursively 
applying one or more hash functions to a master key, m, depending on the binary value 
of the program identifier, p. The program keys, Kp, must be obtained by the customer's 
set-top terminal 400 indirectly using the stored entitlement information, discussed below, 
and the received program identifier, p. 

THE KEY TREE 

As previously indicated, a program key, is obtained by recursively applying 
one or more hash functions, H, to a master key, m, depending on the binary value of the 
program identifier, p. A single k-b\t master key, m, is utilized. The bits of the program 
identifier, p, are denoted by p = (p,,. ,p„), where p, is the most significant bit and p„ is 
the least significant bit. According to a feature of the present invention, the encryption 
key, K,, for a program with a program identifier, p, is deQncd as follows: 

K^H^.H^H^m))..). 

The hash operation can also be rep.csented in terms of a full n-level binary tree 
T, referred to as the key tree 200, shown in FIG. 2. The illustrative key tree 200, shown 
in FIG. 2, corresponds to an implementation having program identifiers, p, consisting of 
three bits. As shown in FIG. I, the master key, m, is placed at the root 210 of the tree 
200. The program keys, Kp, correspond to the leaf nodes, such as the leaf nodes 240- 
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247. The index associated with each program key, Kp, shown in FIG. 2, such as the 
index 01 1 associated with the program key, K,, of the leaf node 243, indicates the path 
through the key tree 200 from the root 210 to the leaf node 243. For example, the 
program key, K p , of the leaf node 243 is obtained by following a left edge (Ho) from the 
root 210, a right edge (H t ) from the node 220 and a right edge (H,) from the node 232. 
In other words, Ho is initially applied to the master key : m, then H, is applied to a first 
hash result, and Hi is again applied to the second hash result. The resulting value is the 
program key, K^u. 

Thus, the label of a given node, u, such as the node 243, is the concatenation of 
the labels on the edges on the path from the root 210 to the node u. The label of each 
node can be identified with the program identifiers, p. T(u) is utilized to denote the 
subtree rooted at node ti, or equivalently, to denote the set of program identifiers, p, 
corresponding to the leaves in the subtree of node u. For an internal node, h, at depth r 

in the key tree 200, with a partial program identifier, p, (m u,), the keys of any 

program in the subtree T(u) can be computed. The key of any program in the subtree of 
node u is computed by activating the hash function n - r times Specifically, the 
appropriate hash function, Ho or Hi, is utilized as directed by the value of each of the n - 
r low order bits of the program identifier, p Thus, the program key, Kp, corresponding 
to a node u can serve as an entitlement for ail programs in the subtree of node u. 

If the function His a pseudo-random generator, then the mapping of the program 
keys, K, {0,1}" -» {0,l} k , parameterized by the master key, ra, is a pseudo-random 
function. See, fur example, O Goldreich et al , "How to Construct Random Functions," 
J. ACM, 33:792-807 (1986), incorporated by reference above. 

SYSTEM COMPONENTS 

FIG. 3 is a block diagram showing the architecture of an illustrative head-end 
server 300. The head end may be associated with a television network, a cable operator, 
a digital satellite service operator, or any service provider transmitting encrypted 
programming content. The head-end server 300 may be embodied, for example, as an 
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RS 6000 server, manufactured by IBM Corp., as modified herein to execute the 
functions and operations of the present invention. The head-end server 300 includes a 
processor 310 and related memory, such as a data storage device 320. The processor 
310 may be embodied as a single processor, or a number of processors operating in 
parallel. The data storage device 320 and/or a read only memory (ROM) are operable to 
store one or more instructions, which the processor 310 is operable to retrieve, interpret 

As discussed above, the data storage device 320 includes a master key database 
350 for storing the master key, m. The master key, m, may be updated, for example, 
once per billing period. In addition, as discussed further below in conjunction with FIG 
5, the data storage device 320 includes a program database 500. The program database 
500 indicates the program identifier, p, and associated packages corresponding to each 
program. In addition, as discussed further below in conjunction with FIGS. 7 AND 8, 
the data storage device 320 includes an entitlement information distribution process 700 
and a program distribution process 800. Generally, the entitlement information 
distribution process 700 generates and distributes the entitlement information required by 
each customer to access entitled programs. In addition, the program distribution process 
800 derives the program key, K p , based on the program identifier, p, assigned to the 
program in order to encrypt and transmit the program with the program identifier, p. 

The communications port 330 connects the head-end server 300 to the 
distribution network 110, thereby linking the head-end server 300 to each connected 
receiver, such as the set-top terminal 400 shown in FIG. 1 . 

FIG. 4 is a block diagram showing the architecture of an illustrative set-top 
terminal 400. The set-top terminal 400 may be embodied, for example, as a set-top 
terminal (STT) associated with a television, such as those commercially available from 
General Instruments Corp , as modified herein to execute the functions and operations of 
the present invention. The set-top terminal 400 includes a processor 410 and related 
memory, such as a data storage device 420, as well as a communication port 430, which 
operate in a similar manner to the hardware described above in conjunction with FIG. 3. 
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As discussed further below in conjunction with FIG. 6, the data storage device 
420 includes an entitlement database 600 that may be stored in a secure portion of the 
data storage device 420. The entitlement database 600 includes those portions of the 
key tree 200 tliat are necessary to derive the program keys, K,, for the programs to 
which the customer is entitled. In addition, the data storage device 420 includes the hash 
functions, H 0 and Hi, 440. In addition, as discussed further below in conjunction with 
FIG. 9, the data storage device 420 includes a decode piocess 900. Generally, the 
decode process 900 decrypts programs that a customer is entitled to, by using the 
received program identifier, p, and the stored entitlement information 600 to derive the 
program key, K P , and then using the program key, fCp, to decrypt the program. 

FIG. 5 illustrates an exemplary program database 500 that stores information on 
each program, p, which will be transmitted by the head-end server 300, for example, 
during a given billing period, including the packages the program belongs to and the 
corresponding program identifier, p. The program database 500 maintains a plurality of 
records, such as records 505-520, each associated with a different program. For each 
program identified by program name in field 525, the program database 500 includes an 
indication of the corresponding packages to which the program belongs in field 530 and 
the corresponding program identifier, p, in field 535. 

FIG. 6 illustrates an exemplary entitlement database 600 that includes those 
portions of the key tree 200 that are necessary to derive the prugram keys, K p , for the 
programs to which the customer is entitled. As previously indicated, T(u) is utilized lu 
denote the subtree rooted at a node u, or equivalent^, to denote the set of program 
identifiers, p, corresponding to the leaf nodes 240-247 in the subtree of node u For 
example, if a customer is entitled to receive the four programs corresponding to the leaf 
nodes 240-243, the entitlement informatioii would consist of the intermediate key 
associated with node 220. In this manner, the appropriate hash functions, Ho and H,, 
440 can be used to derive the program keys, K„, for each node 230, 232, 240-243 in the 
subtree of node 220, as necessary. 
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The exemplary entitlement database 600 shown in FIG. 6 corresponds to a 
customer that is entitled to receive the four programs corresponding to the leaf nodes 
240-243, as well as the two programs corresponding to the leaf nodes 246-247, Thus, 
the entitlement iiiformation recorded in the entitlement database 600 consists of trie 
intermediate keys associated with node 220 and node 236. For each node 220 and 236, 
the entitlement information recorded in the entitlement database 600 includes the 
intermediate key value, and Ki n , respectively, and an indication of the corresponding 
partial program identifier, p. The manner in which the entitlement information 600 is 
generated by the entidement information distribution process 700 based on packages of 
programs selected by a customer is discussed below in conjunction with FIG 7. 

PROGRAM PACKAGING 

Small entitlements can be established for many sets of programs of varying size, 
using the tree scheme of the present invention A target set, S, is established using the 
collection of programs to be packaged. A minimal set of tree nodes is obtained whose 
subtrees precisely cover the target set, S, as follows: 

T(S) = /, c T such that |J /'(« ) =5, and \Z\ is minimal . 

The entitlement information for the package, S, is the set of intermediate keys, 
K, held at the nodes of T(S) As indicated above, this set of keys allows the set-top 
terminal 400 to decrypt exactly the programs in S but nothing else, It is noted that, in 
principle, the tree scheme of" the present invention can cieate entitlement information for 
any arbitrary target set, S. It is further noted, however, that if the program identifiers, p, 
are assigned arbitrarily then the entitlement iiibrmation may become prohibitively large 
for the limited secure memory of the set-top terminals 400. 

PROCESSES 

As discussed above, the head-end server 300 executes an entitlement information 
distribution process 700, shown in FIG. 7, to generate and distribute the entitlement 
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information 600 required by each customer to access entitled programs As previously 
indicated, the entitlement information 600 consists of the intermediate key value, K r , and 
an indication of the corresponding paitial program identifier, p, for each node of the key 
tree 200 that is necessary to derive the program keys, Kp, for the programs to which the 
customer is entitled. 

Thus, the entitlement information distribution process 700 initially identifies the 
programs selected by the customer during step 710. Thereafter, the entitlement 
information distribution process 700 finds a minimal set of tree nodes, T{S), whose 
subtrees precisely cover the target set, S. The target set, S, is decomposed during step 
720 into maximal disjoint intervals of consecutive program identifiers, p. It is noted that 
two program identifiers, p, are considered consecutive if the integers corresponding to 
the binary representations are consecutive A cover, T{S), is then found for each interval 
during step 730. The set of intermediate keys, Ki, and corresponding partial program 
identifiers, p, held at the nodes of the cover, T{S), for each interval are generated during 
step 740. Finally, the generated entitlement information is downloaded by the head-end 
server 300 to the set-top terminal 400 during step 750, before program control 
terminates during step 760. 

The number of intervals in the target set, S, is referred to as I(S). To compute a 
cover, T(S), for a single inta val of piogram identifiers, p, on the order of n tree nodes 
must be visited in a key tree 200 of depth n Thus, the time complexity of the 
entitlement information distribution process 700 is on the order of I{S) n. Likewise, the 
size of the minimal cover, T(S), is on the order of I(S) n Programs with related content 
should be assigned program identifiers, p, that allow them to be packaged efficiently. In 
one implementation, basic packages are of the form all program identifiers, p, with a bit 
prefix u. An entitlement for such a single-topic package is a single key in the key tree 
300. Moreover, multi-topic packages can be assembled with no side-effects. The 
entitlement information is simply the set of keys for the individual topics that comprise 
the multi-topic package. In accordance with the present invention, a package defined by 
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a prefix p. does not allow the set-top terminal 400 to decrypt programs with a 0 prefix of 
the same length. 

As discussed above, the head-end server 300 executes a program distribution 
process 800, shown in FIG. 8, to derive the program key, K P , based on the program 
identifier, p, assigned to the program and the master key, m, in order to encrypt and 
transmit the program with the program identifier, p. It is noted that the program 
distribution process 800, other than the actual transmission step, can be executed offline 
or in real-time. As illustrated in FIG. 8, the program distribution process 800 begins the 
processes embodying the principles of the present invention during step 810 by 
identifying a program to be transmitted. 

Thereafter, the program distribution process 800 retrieves the program identifier, 
p, corresponding to the program from the program database 500, during step 820, and 
then calculates the program key, K P , corresponding to the program during step 830. The 
program will then be encrypted during step 840 with the program key, K P , calculated 
during the previous step. Finally, the program distribution process 800 will transmit the 
encrypted program together with the program identifier, p, during step 850, before 
program control terminates during step 860. It is noted that the program identifier, p, 
can be transmitted periodically interleaved throughout the transmission of the program 
information, so that a customer can change channels during a program and be able to 
derive the program key, Kp, which is required to decrypt the program, In an alternate 
embodiment, the program identifier, p, can be continuously transmitted on a separate 
control channel, such as a Barker channel 

As discussed above, the set-top terminal 400 executes a decode process 900, 
shown in FIG 9, to decrypt programs that a customer is entitled to, by using the 
received program identifier, p, and the stored entitlement information 600 to derive the 
program key, K P , and then using the program key, K P , to decrypt the program. As 
illustrated in FIG 9, the decode process 900 begins the processes embodying the 
principles of the present invention during step 910, upon receipt of a customer 
instmction to tune to a particular channel. 
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Thereafter, the set-top terminal 400 will receive the appropriate signal during 
step 920, including the encrypted program and the transmitted program identifier, p. 
The decode process 900 then retrieves the stored entitlement information from the 
entitlement database 600 during step 930. A test is performed during step 940 to 
determine if with the transmitted program. If it is determined during step 940 that an 
entry does not exist in the entitlement database 600 having a partial program identifier, p, 
that matches the most significant bits of the received program identifier, p, then the 
customer is not entitled to the selected program and program control terminates during 
step 980. 

If, however, an entry does exist in the entitlement database 600 having a partial 
program identifier, p, that matches the most significant bits of the received program 
identifier, p, then the customer is entitled to the selected program. Thus, the program 
key, K P , is then calculated during step 960 using the intermediate key, Ki, retrieved from 
the entry of the entitlement database 600. Specifically, the program key, K,, is computed 
by activating the appropriate hash function, Hp or Hi, as directed by the value of each of 
the n - r low order bits of the program identifier, p, as follows: 

K r =H Pt (. ..H^ ))...). 

Finally, the program is decrypted using the derived program key, Kp, during step 
970, before program control terminates during step 980 It is noted that if the received 
program is not part of the customer's entitlement, then there is no entitlement 
information in the entitlement database 600 having a partial program identifier, p, that 
matches the low order bits of the program identifier, p, received with the transmitted 
program. 

It is further noted that the decode process 900 can wait for the customer to 
request a particular channel before attempting to derive the decryption keys and 
determine whether the customer is entitled to the requested channel, as described above, 
or the decode process 900 can alternatively periodically scan all channels to obtain the 
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transmitted program identifiers, p, in order to derive the decryption keys for storage in 
the data storage device 420 and predetermine the customer's entitlement. 

SUITABLE HASH FUNCTIONS 

As previously indicated, if the hash function, H, is a pseudo-random bit generator, 
then the mapping of p -» K p is provably a pseudo-random function. Thus, if the actual 
hash function, H, is cryptographically strong, then the encryption keys would be 
unpredictable. Accordingly, if a pirate only has access to the encrypted program 
broadcast, the knowledge that the keys were generated using the tree scheme of the 
present invention does not seem to help in breaking the encryption. Therefore, 
essentially the only concern is to ensure that the video encryption algorithm can 
withstand known plaintext attacks. 

The hash function, H, should possess two properties. First, it must be hard to 
compute the input x given half of the image H 0 (x) or H,(x) for the hash function, H. 
This certainly holds for any cryptographic hash H, which is hard to invert even when 
both halves of the image are known In addition, it must be hard to compute H 0 (x) even 
when H,(x) is known, and vice versa. In principle, it may be easier to complete a missing 
half-key when the other half is known, even if the function H is hard to invert. If this is 
the case, then a pirate who knows the program key, K p foi a node u may be able to 
compute the key to a sibling node, v, and then to all the programs in the subtree of node 

One advantage of the tree scheme in accordance with the present invention is that 
it makes merging pirated entitlements inefficient Consider a pair of sibling programs, pi 
and P2, and their parent node, u. Suppose that the pirate knows the program key, Kp, 
corresponding to both programs, pi and pa, which are the two halves of H(Kp(u)) The 
pirate still cannot invert II and compute Kp(u) since II is a cryptographic hash function. 
Thus, the merged pirated entitlements would have to contain both K p (pi) and K p (p 2 ), 
rather than more compact K p {u). Thus, breaking into multiple set-top terminals 400 with 

18 Bleichenbacher 1-8 
cheap (but different) entitlements is not a good strategy for the pirate, since the 
combined entitlement will be very large. 

As previously indicated, suitable pseudo-random hash functions are discussed, for 
example, in O. Goldreich et al., "How to Construct Random Functions," J. ACM, 
3 3 ; 792-807 ( 1986), incorporated by reference above. 

It is to be understood that the embodiments and variations shown and described 
herein are merely illustiative of the principles of this invention and that various 
modifications may be implemented by those skilled in the art without departing from the 
scope and spirit of the invention. 
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A system for restricting access to transmitted programming content is 
disclosed, which transmits a program identifier with the encrypted programming content. 
A set-top terminal or similar mechanism restricts access to the transmitted multimedia 
information using stored decryption keys. The set-top terminal receives entitlement 
information periodically from the head-end, corresponding to one or more packages of 
programs that the customer is entitled to for a given period. Each program is encrypted 
by the head-end server prior to transmission, using a program key, K P , which may be 
unique to the program. The set-top terminal uses the received program identifier, p, 
together with the stored entitlement information, to derive the decryption key necessary 
to decrypt the program. Each of the A-bit program keys, K P , used to encrypt transmitted 
programs is obtained by applying one or more pseudo-random hash functions, II, such as 
a length-doubling hash fiinction, H, to a master key, m The illustrative hash function, H, 
takes a i-bit binary value and produces a binary value having a length of 2k, with U 0 
being the left half of the output of the hash function, and Hi being the right half of the 
output of the hash function. A program key, K p , is obtained by recursively applying a 
hash function, Ho or Hi, to the master key, m, depending on the corresponding binary 
value of each bit position of the program identifier, p. The hash operation is represented 
in terms of an fl-level binary tree, T, referred to as the key tree, with the master key, m, 
placed at the root of the tree. The tree is generated by applying the hash functions Ho 
and Hi to each node, until the desired number of tree levels (n) have been created. The 
urogram keys, Kp, correspond to the leaf nodes at the bottom level of the tree The 
program identifier, p, associated with each program key, K p , corresponds to the path 
through the key tree from the root to the desired leaf node. 
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(54) METHOD FOR TRANSMITTING PROGRAM TO LIMIT ACCESS TO END USER AND 
METHOD FOR DECODING ENCRYPTED PROGRAM 

(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a system to limit access to 
contents of transmission program such as television program. 
SOLUTION: A transmitter or a head end server is used by a service 
provider to transmit encrypted programming contents to one or a 
plurality of customers. A program identifier (p) used to identify a 
program is transmitted to the customers together with programming 
contents. Each customer uses a set-top terminal or an interpretation 
key to provide a limited access to transmission multimedia 
information as other device. The set- top terminal 400 or the like 
receives entitlement information corresponding to a package of one or 
a plurality of programs that can normally be received for a period 
from a head end. 
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CLAIMS 



[Claim(s)] 

[Claim 1] The step which assigns the program identifier which is the approach of transmitting the program 
which can carry out access restriction to an end user, and has (A) binary value to said program, (B) The step 
which enciphers said program by using the step which defines at least one master key, and the program key 
obtained by applying at least one Hash Function to said master key based on the binary value of the (C) 
aforementioned program identifier, (D) Approach characterized by having the step which sends said 
enciphered program to said end user with said program identifier. 

[Claim 2] Said program identifier is an approach according to claim 1 characterized by applying one of said 
the Hash Functions to each location of n bits of said program identifier according to the bit value to which it 
becomes from n bits and said program identifier corresponds. 

(Claim 3] (E) The approach according to claim 1 characterized by having further the step which provides 
said end user with entitlement information based on the set of the program acquired by said end user. 
[Claim 4] The approach according to claim 3 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement information. 

[Claim 5] Said end user is an approach according to claim 3 characterized by using said program identifier 
in order to obtain said program key from said memorized entitlement information. 
[Claim 6] Said program identifier is an approach according to claim 1 characterized by interleaving with 
transmission of said encryption program. 

[Claim 7] Said program identifier is an approach according to claim 1 characterized by being transmitted on 
a control channel. 

[Claim 8] The approach characterized by to have the step enciphered using the program key which is the 
approach of transmitting a program to two or more end users, and was obtained by applying a Hash 
Function to the master key based on the binary value of each bit position of said program identifier for the 
program which has (A) program identifier recurrently, and the step which transmits the program which 
carried out (B) encryption, and said program identifier to said end user. 

[Claim 9] Said program identifier is an approach according to claim 8 characterized by applying said Hash 
Function to each location of n bits of said program identifier according to the bit value to which it becomes 
from n bits and said program identifier corresponds. 

[Claim 10] (C) The approach according to claim 8 characterized by having further the step which provides 
said end user with entitlement information based on the set of the program acquired by said end user. 
[Claim 11] The approach according to claim 10 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement information. 

[Claim 12] Said end user is an approach according to claim 10 characterized by using said program identifier 
in order to obtain said program key from said memorized entitlement information. 

[Claim 13] Said program identifier is an approach according to claim 8 characterized by interleaving with 
transmission of said encryption program. 



[Claim 14] Said program identifier is an approach according to claim 8 characterized by being transmitted 
on a control channel. 

[Claim 15] It is the approach of transmitting the program corresponding to at least one program package to 
two or more end users. (A) The step which provides said end user with entitlement information based on 
the set of the program acquired by said end user, (B) The step enciphered using the program key obtained 
by applying a Hash Function to the master key based on the binary value of each bit position of said 
program identifier for the program which has a program identifier recurrently, (C) Have further the step 
which transmits said program identifier to said end user with the enciphered program, and if said end user 
is a just user of said program Said end user is an approach characterized by obtaining said program key 
from the memorized entitlement information. 

[Claim 16] Said program identifier is an approach according to claim 15 characterized by applying one of 
said the Hash Functions to each location of n bits of said program identifier according to the bit value to 
which it becomes from n bits and said program identifier corresponds. 

[Claim 17] The approach according to claim 15 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement information. 

[Claim 18] Said end user is an approach according to claim 15 characterized by using said program identifier 
in order to obtain said program key from said memorized entitlement information. 

[Claim 19] Said program identifier is an approach according to claim 15 characterized by interleaving with 
transmission of said encryption program. 

[Claim 20] Said program identifier is an approach according to claim 15 characterized by being transmitted 
on a control channel. 

[Claim 21] The step which receives the entitlement information which is the approach of decoding the 
enciphered program and contains at least one middle key from a key tree based on the set of the program 
which said customer acquired from the provider of the (A) aforementioned program, (B) The encryption 
program enciphered by the program key, and the step which receives a program identifier, (C) Approach 
characterized by having the step which obtains said program key from the part said program identifier and 
said key tree were remembered to be, and the step which decodes said encryption program using the (D) 
aforementioned program key. 

[Claim 22] It is the approach according to claim 21 which said program identifier consists of n bits, and said 
master key is arranged on the root of said key tree, and is characterized by generating said key tree when 
said key tree applies a Hash Function to each node until the tree level of n is made. 
[Claim 23] It is the approach of decoding the enciphered program. From the provider of the (A) 
aforementioned program The step which receives the entitlement information which contains at least one 
middle key from the key tree based on the set of the program which a customer acquires, (B) The encryption 
program enciphered by the program key, and the step which receives a program identifier, (C) The step 
which obtains said program key from the part the key tree was remembered to be from said program 
identifier and said middle key by applying a Hash Function to said middle key recurrently based on the 
binary value of said program identifier, (D) Approach characterized by having the step which decodes said 
encryption program using said program key. 

[Claim 24] It is the approach according to claim 23 which said program identifier consists of n bits, and said 
middle key corresponds to the intermediate node in the level r of said key tree, and is characterized by 
carrying out n-r time application of said Hash Function at said middle key. 

[Claim 25] The memory which is the system which transmits the program which restricts access to an end 
user, and memorizes the (A) master key and a computer readout possible code, (B) It has the processor 
connected with said memory in actuation. This processor (a) The program identifier which has a binary 
value is assigned to said program, (b) Define at least one master key and said program is enciphered using a 
program key by applying at least one Hash Function to said master key based on the binary value of the (c) 



aforementioned program identifier, (d) System characterized by constituting so that an encryption program 
may be transmitted to said end user with said program identifier. 

[Claim 26] The memory which is the system which transmits the program to which access to an end user 
was restricted, and memorizes the (A) master key and the code which can be computer read, (B) It has the 
processor connected with said memory on actuation. Said processor (a) The program key obtained by 
applying a Hash Function to a master key recurrently based on the binary value of each bit position of said 
program identifier is used. The system characterized by constituting so that this program that enciphered 
this program that has a program identifier and was enciphered by the (b) aforementioned end user, and said 
program identifier may be transmitted. 

[Claim 27] The memory which is the system which decodes the enciphered program and memorizes the (A) 
master key and the code which can be computer read, (B) It has the processor connected with said memory 
on actuation. Said processor (a) The entitlement information containing the part of the key tree based on the 
set of the program acquired by said customer is received from the provider of this program, (b) The 
encryption program enciphered by the program key and a program identifier are received, (c) System 
characterized by obtaining said program key from said part said program identifier and said key tree were 
remembered to be, and constituting so that said encryption program may be decoded using the (d) 
aforementioned program key. 

[Claim 28] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read. This means that can be computer read assigns the program identifier which has (a) 
binary value at the time of actuation to a program, (b) Define at least one master key and the program key 
obtained by applying at least one Hash Function to said master key based on the binary value of the (c) 
aforementioned program identifier is used. The medium which is characterized by transmitting this 
program that enciphered this program and was enciphered with the (d) aforementioned program identifier 
to an end user and which can be computer read. 

[Claim 29] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read. This means that can be computer read receives the entitlement information 
containing the part of the key tree based on the set of the program acquired by the (a) aforementioned 
customer at the time of actuation from the provider of this program, (b) The encryption program enciphered 
by the program key and a program identifier are received, (c) Medium which is characterized by obtaining 
said program key from said part said program identifier and said key tree were remembered to be, and 
decoding said encryption program using the (d) aforementioned program key and which can be computer 
read. 
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DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] This invention relates to the system which transmits the program decoded with the 
memorized entitlement information using the program identifier used by the set top terminal, in order to 
obtain a decode key required to decode a program especially about the system which restricts access to the 
contents of transmitting programming. 
[0002] 

[Description of the Prior Art] It is still more important that a service provider like a cable television operator 
or a digital satellite service operator offers the package of the channel to which a majority of a television 
viewer's population is satisfied, or a program as the number of channels with an available television viewer 
increases and the range of the available contents of programming increases in number by such channel. 
Generally development of the package with which a customer is provided is a marketing function. A service 
provider is wanted to offer the package of various sizes generally/For example, they are all programs, the 
combination between them, etc. from one program. 

[0003] A service provider usually broadcasts a television program from the transmitter called a "head end" 
to many customers. Each customer is usually concerned with a part of programming to receive. For 
example, in a broadcast environment, any man can receive programming transmitted with a suitable 
receiver like an antenna or a satellite disk. In order to restrict access of a program only to the normal 
customer who purchased the package, a service provider usually enciphers a transmitting program and 
contains 1 or two or more code machines in a customer. A set top terminal (STT) is offered. By such 
approach, a set top terminal receives encryption transmission and the program which a customer looks at is 
enciphered. Nothing is carried out but this. 

[0004] In order that the confidentiality memorized in the set top terminal may make piracy of high 
information min, a set top terminal is usually equipped with a secure processor or secure memory. This 
secure memory has the capacity of several kilobits order, and memorizes a code key. Generally secure 
memory is not volatility but tamper REJISUTANTO. Moreover, secure memory has that it can write [ much 
] in and can carry out the repro gram of the key for every accounting period. Since the secure memory 
capacity of the conventional set top terminal is restricted, the number of the keys memorized will be 
restricted and the number of the packages which a service provider offers will also be restricted. The 
number of the programs which a service provider broadcasts to the accounting period of a moon unit may 
usually be the order of 200,000. 

[0005] The conventional set top terminal has a thing containing bit VEKUTORU which has a bit entry 
corresponding to each package of the program which a service provider offers. If a specific customer is the 
normal addressee of a package, the bit entry in the bit vector memorized in a set top terminal will be set to 
"1." After that, all the programs that a service provider transmits are enciphered by one key. If a program is 
received, a set top terminal will judge whether the bit entry which accesses and corresponds to a bit vector is 
set. If the bit entry is set, as for a set top terminal, a program will be decoded using one memorized code 



machine. 

[0006] Although it seems to a theory top that flexibility is attained by the bit vector method by offering one 
bit entry to each package (a package consisting of one program generally), the die length of a bit vector is 
not practical in the system which transmits many programs to one accounting period. Moreover, the access 
control in such a system is exclusively given by the entry in a bit vector, and is not code-like (cryptographic). 
Therefore, if a customer can write in a bit vector and can set all bits to "1", a customer will be able to access 
all programs. 

[0007] Moreover, a program is divided into each package and there are some as which all the programs in a 
package are enciphered using the same key. Each package corresponds to one television channel. A set top • 
terminal memorizes the decode key to each package the customer of whose is a normal addressee. 
Therefore, if a program is included in two or more packages, that program must be broadcast again for 
corresponding each package of every, and will be enciphered in this the transmission of each by the code 
key corresponding to a specific package. Although it is cryptography-like [ an access control ], by the 
overhead about broadcasting programming again repeatedly, it will not be realistic, and will carry out 
arranging the same program as much packages, and flexibility will be restricted in the design of the package 
of a program. 

[0008] although the conventional system which encipher such contents of a program and be transmit be 
comparatively successful about restrict access only to a normal customer , it have not make it possible to 
provide a customer with the package with which a large number which include much programs , without 
make an overhead increase fairly differ , without a service provider like a television network exceed the 
secure memory capacity to which the set top terminal be restricted . The cryptography-approach and 
equipment which restrict access to the contents of transmitting programming to the "Vspace system" 
indicated by the United States patent applications 08/912186 (August 15, 1997 application) are indicated. 
[0009] Each program in a Vspace system is enciphered by the head end server before transmission using the 
program key kP. Each program key is the linearity combination of the set with which the master key M was 
defined. The program identifier which identifies a program is transmitted with the contents of encryption 
programming. A customer's set top terminal can obtain a decode key only from the entitlement information 
recorded on the program identifier p which received, and the front. A Vspace system offers a 
cryptography-access-control mechanism, enabling the package which is supple, without extending a 
program header fairly (only a program identifier being transmitted with a program). It is because it is not 
necessary to broadcast a program again for corresponding each package of every. 
[0010] 

[Means for Solving the Problem] Generally, the contents of programming enciphered by 1 or two or more 
customers by the service provider using the transmitter thru/or the head end server are transmitted. The 
program identifier p used for identifying a program is transmitted to a customer with the contents of 
programming. Each customer has other devices in which access restricted to transmitting multimedia 
information using the set top terminal thru/or the decode key is given. A set top terminal receives 1 which 
can receive to normal at a period with a customer, or the entitlement information corresponding to the 
package of two or more programs from a head end. 

[0011] Each program is enciphered by the head end server before transmission using the program key kp. 
the program key kp of an individual - the program ~ unique - making . In addition to transmission of the 
enciphered program, a head end server transmits the program identifier p to a set top terminal. A set top 
terminal obtains a decode key required to decode a program using the program identifier p which received 
with the memorized entitlement information. In this approach, if a customer is the normal user of a specific 
program, a set top terminal can obtain the program key kp enciphered using the information memorized 
and received, and can decode the program enciphered using that program key kp after that. In an example, 
the program identifier p can be interleaved to a part of program, and can be transmitted on a separate 



exclusive control channel. 

[0012] Each of k-bit program key kp used for enciphering a transmitting program can be obtained by 
applying 1 or two or more pseudo-random Hash Functions to a master key m. As an example, Hash 
Function H which doubles die length can be used. Therefore, Hash Function H takes a k bit binary value, 
and makes the binary value of the die length of 2k. The output of Hash Function H can be expressed as pair 
HO of k-bit binary value as HI. Here, HO can be identified as a left half of the output of the Hash Function 
concerned, and HI can be identified as a right half of the output of the Hash Function concerned. 
[0013] As an example, the program key kp can be obtained according to the binary value to which each bit 
position of the program identifier p corresponds by applying recurrently Hash Functions HO or HI to a 
master key. Therefore, if the program identifier p consists of m bits, one side of Hash Functions HO or HI 
will be applied to each bit position of n of the program identifier p according to the bit value to which the 
program identifier p corresponds. First, one side of Hash Functions HO or HI is applied to a master key 
according to the binary value which is the leftmost digit bit of the program identifier p. After that, according 
to the binary value of a corresponding bit, one side of Hash Functions HO or HI is applied to the result of a 
pre- hash operation to each remaining bit position (n-1). Count of the program key kp can be expressed as 
follows. 
[Equation 1] 

K p =H Pr (...H Pi (H n (m))...) 

[0014] Such a hash operation can be expressed in relation to n level binary tree T (called a key tree) by which 
the root 2 master key m of a tree is arranged. A tree is generable by applying Hash Functions HO and HI to 
each node until a desired number of tree-level (n) is made. The program key kp corresponds to the leaf (leaf) 
node in the bottom (bottom) level of a tree. The binary index (the same the program identifier [ And ] p) 
corresponding to each program key kp corresponds to the pass (way) which passes along the key tree from 
the root to a desired leaf node. Therefore, the index thru/or label of Node u is connection of the label on H 
on the pass from the root to Node u. T (u) can calculate any key of the program in subtree T (u) by carrying 
out time (n-r) actuation of the Hash Function to the internal node u (ul, ur) in depth r in the subtree 
which makes Node u the root, i.e., the key tree which has the partial program identifier p showing the set of 
the program identifier p corresponding to the leaf in the subtree of Node u. 
[0015] 

[Embodiment of the Invention] Drawing 1 has shown the network environment which transmits video, an 
audio, and encryption multimedia information like data to 1 or two or more customers who have the set top 
terminals 400-401 through 1 or two or more distribution networks 110 using a transmitter like the head end 
server 300 from a service provider. This head end server 300 argues in relation to drawing 3 in the bottom, 
and argues about the set top terminal 400 in relation to drawing 4 in the bottom. In this specification, a set 
top terminal includes any device in which access restriction is given to the multimedia information 
transmitted using the decode key. For example, a computer configuration and a communication link device 
are included. A service provider may download the software which a set top terminal performs. A network 
110 can be made into the wireless broadcasting network which distributes contents of programming like 
digital satellite service (DSSTM), a cable television network (CATV), a public switching network (PSTN), an 
optical network, ISDN, and a cable network like the Internet. 

[0016] The set top terminal 400 receives entitlement information intermittently from the head end server 300, 
and enables a customer to access the program whose customer is a registered user between a certain time 
intervals (for example, accounting period). In this specification, a package is the set of a predetermined 
program and a certain program can belong to 1 or two or more packages. A program means all of . 
continuous multimedia transmission of the episode of television, or specific die length like a movie. 
Entitlement information is downloadable in the set top terminal 400 from the head end server 300 using 



which suitable secure one way or bidirectional protocol. 

[0017] Program key and program identifier each transmitting program is enciphered by the head end server 
300 using the program key kp. This program key kp can be made unique to a program. Suitable encryption 
and a security technique are indicated by reference, B.Schneier, and Applied Cryptography (2d ed.1997). In 
addition to transmission of an encryption program, the head end server 300 also transmits a n bit program 
identifier to the set top terminal 400. This is used by the set top terminal 400 with the memorized entitled 
information, and as shown in a detail, it obtains a decode key required to decode a program in the bottom. 
[0018] The program identifier p is not chosen as arbitration so that the item of the bottom entitled 
assignment of the program identifier to a program may explain. In a desirable example, the program 
identifier p can consist of the 32-bit value transmitted in the ECM field specified to MPEG-2 criterion. In this 
case, if it is the registered user of the program of specification [ a customer ], the set top terminal 400 can 
obtain the program key kp from the information memorized and received, and it can use the program key 
kp so that an encryption program may be decoded after that. 

[0019] According to the further description of this invention, each of the k-bit program key kp used for an 
encryption transmitting program can be obtained by applying 1 or two or more pseudo-random Hash 
Functions to a master key m. Explanation of a suitable pseudo-random Hash Function is indicated by 
reference and O.Goldreich et al. and "How to Construct Random Functions" J. ACM and 33:792-807 (1986). 
[0020] As an example, it is secure in cryptography, and the Hash Function which doubles die length is used 
as follows. 

H: {0, 1} k->{0, l}2k - here, k is the die length of the program key kp. Therefore, Hash Function H takes the 
binary value of k bits, and makes the binary value of die-length 2k. The output of this Hash Function H can 
be expressed as pair HO of a k bit binary value as HI. Here, HO is the left-hand side one half (left-hand side 
digit bit) of the output of Hash Function H, and is H. {1} is the right-hand side one half (right-hand side digit 
bit) of the output of Hash Function H. HO and HI can be called a separate Hash Function. 
[0021] If it is k= 160, H can be specified using secret hash standard SHA-1 which is indicated by reference, 
Secure Hash Standard, National Institute of Standards and Technology, NIST FIPS PUB 180-1, and 
U.S.Dept.of Commerce (April, 1995). That is, HO is set to SHA-1 (x I 1 0), and HI turns into SHA-1 (x I 1 1). 
Here, 0 and 1 are the bit strings of all the bit strings 1 of 0 altogether, respectively. 

[0022] The program key kp can be obtained by applying recurrently 1 or two or more Hash Functions to a 
master key m according to the binary value of the program identifier p. As an example, the program key kp 
can be obtained by applying recurrently one side of Hash Functions HO or HI to a master key m according 
to the binary value of each bit position of the program identifier p. Generally, if the program identifier p 
consists of n bits, according to the bit value to which the program identifier p corresponds, one side of Hash 
Functions HO or HI will be applied to each of the bit position of n of the program identifier p (it starts from 
a leftmost bit). 

[0023] One side of Hash Functions HO or HI is first applied to a master key according to the binary value 
which is a leftmost digit bit. After that, according to the binary value which is the bit to which one side of 
Hash Functions HO or HI corresponds, it is applied to the result of pre- hash actuation to each remaining bit 
position (n-1). This hash actuation can be expressed as follows so that the item of a title called lower "key 
tree" may explain. 
[Equation 2] 

K p =H Pr (...H p2 (H Pi (m))..) 

[0024] As mentioned above, the head end server 300 transmits the program identifier p with an encryption 
program. Therefore, if the program identifier p is given, the set top terminal 400 must obtain the program 
key kp used for decode of a receiving agent. As mentioned above, the program key kp can be obtained by 
applying recurrently 1 or two or more Hash Functions to a master key m according to the binary value of 



the program identifier p. The program key kp must be obtained by a customer's set top terminal 400, using 
indirectly the memorized entitlement information and the program identifier p which received which is 
explained in the bottom. 

[0025] As explained on the key tree, the program key kp can be obtained by using recurrently 1 or two or 
more Hash Functions for a master key m according to the binary value of the program identifier p. The k-bit 
single master key m is used. The bit of the program identifier p can be expressed as p= (pi, pn). Here, pi 
is a leftmost digit bit and is a rightmost digit bit. The cryptographic key kp to the program which has the 
program identifier p can be defined as follows. 
[Equation 3] 

K p =H H {...H H (H li {m))...) 

[0026] Hash actuation can be expressed as a perfect n level binary tree T like the key tree 200 shown in 
drawing 2 . The key tree 200 shown in drawing 2 corresponds to the example of mounting which has the 
program identifier p which consists of a triplet. As shown in drawing 2 , a master key m is arranged on the 
root 210 of a tree 200. The program key kp corresponds to a leaf node like leaf nodes 240-247. The index 
corresponding to each program key kp shown in drawing 2 like the index 011 corresponding to the program 
key kp of the DERIFU node 243 shows the pass which lets the key tree 200 from the root 210 to a leaf node 
243 pass. For example, the program key kp of 243 can be obtained by following with the left edge (HO) from 
the root 210, the right edge (HI) from a node 220, and the right edge (HI) from a node 232. That is, HI is 
further applied for HO to the 2nd hash result. The program key kpOH can be obtained. 
[0027] Therefore, the label of a node u like a node 243 is what connected the label on the edge of the pass to 
Node u from the root 210. The label of each node can be specified by the program identifier p. Since the 
subtree which makes Node u the root is expressed, T (u) is used (namely, since the set of the program 
identifier p corresponding to the leaf in the subtree of Node u is expressed). The internal node u in depth r 
in the key tree 200 has the partial program identifier p (ul, ur), and can calculate the key of which 
program in subtree T (u) to these. Any key of the program in the subtree of Node u is calculable by carrying 
out time (n-r) actuation of the Hash Function. Specifically, it uses so that the value of each bit of the low 
digit of (n-r) of the program identifier p may direct suitable Hash Functions HO or HI. Therefore, the 
program key kp corresponding to Node u can function as an entitlement to all the programs in the subtree 
of Node u. 

[0028] If Function H is a pseudo-random generator, mapping kp{0, 1} ->[ n] {0, 1} k of the program key 
which the master key m parameterized is a pseudo-random function. This is indicated by reference, and 

0. Goldreich et al. and "How toConstruct Random Functions" J.ACM and 33:792-807 (1986). 

[0029] System component drawing 3 is the block diagram showing the head end server's 300 AKI theque 
char. A head end shall be related with the service provider of the arbitration which transmits a television 
network, a cable employment person, a digital satellite service employment person, or the contents of 
encryption programming, the head end server 300 — for example, IBM — it can mount with RS6000 server 
which Corp(s) and manufactures, and the function and actuation of this invention can be performed. The 
head end server 300 is equipped with related memory like a processor 310 and the data storage device 320. 
A processor 310 may be mounted as a single processor and may be mounted as some processors which 
operate to juxtaposition. The data storage device 320 and ROM are made to memorize 1 or two or more 
instructions, and a processor 310 enables it to perform by taking out and interpreting. 

[0030] As mentioned above, the data storage device 320 is equipped with the master key database 350 which 
memorizes a master key m. For example, a master key m can be updated like [ for every accounting period 

1. Moreover, the data storage device 320 has the program database 500 so that it may explain in relation to 
drawing 5 in the bottom. The program database 500 presents the program identifier p and the related 
package corresponding to each program, moreover, drawing 7 R> — the data storage device 320 has the 



entitlement information delivery process 700 and the program delivery process 800 so that it may explain in 
relation to 7 and 8. 

[0031] Generally, the entitlement information delivery process 700 generates and distributes the entitlement 
information which each customer needs to accessing the program which is a registered user. Moreover, the 
program delivery process 800 obtains the program key kp based on the program identifier p assigned to the 
program, in order to encipher a program and to transmit by the program identifier p. 
[0032] The communication link port 330 links the head end server 300 to each connected receiver like the set 
top terminal 400 which showed the head end server 300 to the network 110 at a bond and drawing 1 . 
[0033] Drawing 4 is the block diagram showing the AKI theque char of the set top terminal 400. The set top 
terminal 400 can be mounted as a set top terminal (STT) corresponding to television, and it can be changed 
so that the function and actuation of this invention may be performed. The set top terminal 400 is equipped 
with a processor 410 and memory like data storage 420, and the communication link port 430, and operates 
by the same approach as the above hardware relevant to drawing 3 . 

[0034] Data storage 420 is equipped with the entitlement database 600 memorizable into the secure part of 
data storage 420 so that it may explain in relation to drawing 6 in the bottom. The entitlement database 600 
contains the part of the key tree 200 required in order that a customer may get the program key kp to the 
program which has an entitlement. Moreover, data storage 420 is equipped with Hash Functions HO and HI 
(440). Moreover, data storage 420 includes the decoding process 900 so that it may explain in relation to 
drawing 9 in the bottom. Generally, using the program identifier p received in order to obtain the program 
key kp, and the memorized entitlement information 600, in order to decode a program, the program key kp 
is used for the decoding process 900, and it decodes the program whose customer has an entitlement. 
[0035] Drawing 5 shows the program database 500 which memorizes information on each program p 
transmitted by the head end server 300. This information is transmitted to for example, an accounting 
period with the program identifier p to which that program belongs and which packs and corresponds. The 
program database 500 holds two or more decodings like records 505-520. These are related with a different 
program, respectively. The program database 500 contains the program identifier p which corresponds in 
the field 535 including directions of the corresponding package with which the program belongs in the field 
530 to each program identifier identified by the program name in the field 525. 

[0036] Drawing 6 shows the entitlement database 600 containing the part of the key tree 200 required for a 
customer to get the program key kp to the program which has an entitlement. As mentioned above, T (u) 
expresses the set of the program identifier p corresponding to the leaf nodes 240-247 in the subtree which 
makes Node u the root, i.e., the subtree of Node u. For example, supposing a customer has an entitlement 
about receiving four programs corresponding to leaf nodes 240-243, entitlement information will consist of a 
middle key corresponding to a node 220. In this approach, if needed, suitable Hash Functions HO and HI 
(440) can be used in order to obtain the program key kp to each nodes 230, 232, 240-243 in the subtree of a 
node 220. 

[0037] The entitlement database 600 shown by drawing 6 is a registered user who receives four programs 
corresponding to leaf nodes 240-243 (there is an entitlement), and is a registered user who receives two 
programs corresponding to leaf nodes 246-247. Therefore, the entitlement information recorded on the 
entitlement database 600 consists of a middle key corresponding to a node 220 and a node 236. nodes 220 
and 236 - it is alike, respectively, and it receives, and the entitlement information recorded on the 
entitlement database 600 has the middle key values kio and kill, respectively, and has corresponding 
directions of the partial program identifier p. The approach by which the entitlement database 600 is 
generated by the entitlement information delivery process 700 based on the package of the program which 
the customer chose is explained in relation to drawing 7 in the bottom. 

[0038] A small entitlement is establishable to the set of many programs of various sizes using the tree 
method of program packaging this invention. The target set S is established using the set of the program 



packed. The minimum set of a tree node with which a subtree covers the target set S correctly is obtained as 

follows. 

[Equation 4] 

T(S) = Z qT fc£U |J T(u) = S s fr?s \Z\ fiflW* 

[0039] The entitlement information over Package S is the set ki of the middle key held in the node of T (S). 
As shown in a top, the set top terminal 400 decodes the program in S (accepting it) correctly with the set of 
this key. Theoretically, the tree method of this invention can build the entitlement information over the 
target set S of which arbitration, furthermore — however, if the program identifier p is assigned to 
arbitration, entitlement information will become so large that it is not allowed for the secure memory to 
which the set top terminal 400 was restricted. 

[0040] a process - as mentioned above, the head end server 300 performs the entitlement information 
delivery process 700 shown in drawing 7 , and generates and distributes the entitlement database 600 
required for each user in order to access the program which is a registered user. As mentioned above, the 
entitlement database 600 consists of corresponding directions and the corresponding middle key value ki of 
a partial program identifier to each node of the key tree 200 required for a customer to get the program key 
kp to the program which is a registered user. 

[0041] Therefore, the entitlement information delivery process 700 identifies first the program which the 
customer chose (710). After that, the entitlement information delivery process 700 finds minimum set [ of a 
tree node ] T (S). The subtree covers the target set S correctly. The target set S is disassembled to the 
maximum De Dis joint interval of the KONSEKYUTIBU program identifier p (720). Two program identifiers 
p are considered to be KONSEKYUTIBU when the integer over the binary expression is KONSEKYUTIBU. 
[0042] And covering T (S) is found to each interval (730). The corresponding partial program identifier p 
held in the node of covering T (S) to Set ki and each interval of a middle key is generated (740). At the end, 
the generated entitlement information downloads to the set top terminal 400 with the head end server 300 
(750), and program control is completed (760). 

[0043] The number of the intervals in the target set S can be set to I (S). In order to calculate covering T (S) to 
the single interval of the program identifier p to the order of the tree node of n, the key tree 200 of depth n 
must be asked. Therefore, the time amount complexity of the entitlement information delivery process 700 
serves as order of I(S) -n. Similarly, the magnitude of minimum covering T (S) serves as order of I(S) -n. The 
program identifier p which enables the program of related contents to carry out packaging of them 
efficiently should be assigned. In an example, a fundamental package is the gestalt of all the program 
identifiers p that have the bit prefix mu. 

[0044] The entitlement of such a single topic package is a single key in the key tree 200. Moreover, a 
multi-topic package can be assembled without a side effect. Entitlement information is only the set of a key 
to each TOPICS which consists of a multi-TOPICS package. According to this invention, the package 
specified by Prefix mu does not force to the set top terminal 400 so that a program may be decoded using 
zero prefix of the same die length. 

[0045] As mentioned above, the head end server 300 performs the program delivery process 800 shown in 
drawing 8 , and in order to decode a program and to transmit using the program identifier p, he gets the 
program key kp based on the program identifier p assigned to the program and the master key m. The 
program delivery process 800 is important for performing in off-line thru/or the real time except an actual 
transmitting step. As shown in drawing 8 , the program delivery process 800 starts the process using the 
principle of this invention by identifying the program which should be transmitted (810). 
[0046] After that, the program delivery process 800 takes out the program identifier p corresponding to the 
program from the program database 500 (820), and calculates the program key kp corresponding to the 



program (830). And a program is enciphered using the program key kp calculated at the front step (840). 
Finally, the program delivery process 800 transmits the program enciphered with the program identifier p 
(850), and program control ends it (860). 

[0047] It is important to suppose that it is possible to obtain the program key kp required for the program 
identifier p to be interleaved periodically, able to transmit it through transmission of program information, 
and for a customer change a channel at the time of a program, and decode a program. In another example, 
the program identifier p can be continuously transmitted on another control channel like a Barker channel. 
[0048] As mentioned above, the set top terminal 400 performs the decoding process 900 shown in drawing 9 
, using the entitlement information 600 and the received program identifier p memorized in order to obtain 
the program key kp, in order to decode the program, the program key kp is used and a customer decodes 
the program by which the entitlement is carried out. As shown in drawing 9 , the decoding process 900 
starts the process which used the principle of this invention on the occasion of the reception of the customer 
directions made to tune up to a specific channel (910). 

[0049] After that, the set top terminal 400 receives the suitable signal containing the enciphered program 
identifier p which was programmed and transmitted (920). The decoding process 900 takes out the 
entitlement information memorized from the entitlement database 600 (930). It judges whether the 
transmitted program is included (940). When the entry which has the partial-program identifier p which 
agrees in the leftmost digit bit of the receiving-agent identifier p at step 940 is judged not to exist in the 
entitlement database 600, a customer does not have an entitlement to the selected program and program 
control is ended (980). 

[0050] However, if an entry exists in the entitlement database 600 which has the partial-program identifier p 
corresponding to the leftmost digit bit of the received program identifier p, a customer has an entitlement to 
the selected program. Therefore, the program key kp is calculated using the middle key ki taken out from 
the entry of the entitlement database 600 (960). Specifically, the program key kp is calculated by operating 
suitable Hash Functions HO or HI so that each value of the bit of the low (n-r) order of the program 
identifier p may direct as follows. 
[Equation 5] 

K p =H Pm {...H p JH Pr (K ! ))...) 

[0051] Finally, the program is decoded using the obtained program key kp (970), and ends program control 
(980). When the received program is not a part of a customer's entitlement here, it is important that there is 
no entitlement information which has the partial identifier p corresponding to the low bit of the program 
identifier p which received with the transmitting program in the entitlement database 600. 
[0052] The decoding process 900 obtains a decode key, or moreover, as mentioned above Before a customer 
judges whether there is any entitlement to a demand channel In order that it can wait for a customer to 
demand a specific channel and the decoding process 900 may obtain the transmitting program identifier p 
instead, all channels are scanned periodically. It is important that the decode key to the storage in data 
storage 420 can be obtained, and a customer's entitlement can be judged beforehand again. 
[0053] a suitable Hash Function - as mentioned above, if Hash Function H is a pseudo-random bit 
generation machine, it can prove that mapping of p->kp is a pseudo-random function. Therefore, a code key 
cannot be predicted if actual Hash Function H is strong in cryptography. Therefore, if a piracy person has 
access only to encryption program broadcasting, it will not be able to break through a code in the 
knowledge about the key generated using the tree method of this invention. Therefore, only one concerns 
only become ensuring that video encryption algorithm can oppose to a well-known plain text attack. 
[0054] Hash Function H should hold two properties. Calculating Input x has that it must be difficult noting 
that the one half HO of an image (x) or HI (x) is given to the 1st to Hash Function H. Though this knows the 
image of both these one half, it is actually materialized also to the cryptography-hash [ which ] H with it 



difficult [ to carry out an inverted arch ]. Moreover, though HI (x) was known, it must be difficult to 
calculate HO (x), and the reverse of a thing is also the same. Even if it is difficult fundamentally to carry out 
the inverted arch of the function H, when the key of one one half is known, it becomes easier to complete 
the key of the remaining one half. If that is right, the piracy person who knows Program kp to Node u can 
calculate the key to the SHIBURINGU (sibling: sibling) node v, and can calculate the key to all the programs 
in the subtree of Node v. 

[0055] As one advantage of the tree method according to this invention, merge of an entitlement carried out 
in piracy may be made in inefficient. Pair pi, p2, and those ********** of a SHIBURINGU program are 
considered. A piracy person assumes that the program key kp corresponding to the programs pi and p2 of 
both which are two one half of H (kp (u)) is known. A piracy person still cannot do the inverted arch of the 
H, and cannot calculate kp (u). It is because H is a cryptography-Hash Function. Therefore, the entitlement 
carried out in the merged piracy must contain both kp (pi) and kp (p2) instead of compact kp (u). therefore, 
it is not a strategy good for a piracy person to divide to two or more set top terminals 400 which use a 
CHIPU (it is - although - it differs) entitlement. It is because a union ****** entitlement becomes very large. 
[0056] As mentioned above, the suitable pseudo-random Hash Function is indicated by reference, and 
O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
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TECHNICAL FIELD 



[Field of the Invention] This invention relates to the system which transmits the program decoded with the 
memorized entitlement information using the program identifier used by the set top terminal, in order to 
obtain a decode key required to decode a program especially about the system which restricts access to the 
contents of tiansniitting programming. 
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PRIOR ART 



[Description of the Prior Art] It is still more important that a service provider like a cable television operator 
or a digital satellite service operator offers the package of the channel to which a majority of a television 
viewer's population is satisfied, or a program as the number of channels with an available television viewer 
increases and the range of the available contents of programming increases in number by such channel. 
Generally development of the package with which a customer is provided is a marketing function. A service 
provider is wanted to offer the package of various sizes generally. For example, they are all programs, the 
combination between them, etc. from one program. 

[0003] A service provider usually broadcasts a television program from the transmitter called a "head end" 
to many customers. Each customer is usually concerned with a part of programming to receive. For 
example, in a broadcast environment, any man can receive programming transmitted with a suitable 
receiver like an antenna or a satellite disk. In order to restrict access of a program only to the normal 
customer who purchased the package, a service provider usually enciphers a transmitting program and 
contains 1 or two or more code machines in a customer. A set top terminal (STT) is offered. By such 
approach, a set top terminal receives encryption transmission and the program which a customer looks at is 
enciphered. Nothing is carried out but this. 

[0004] In order that the confidentiality memorized in the set top terminal may make piracy of high 
information min, a set top terminal is usually equipped with a secure processor or secure memory. This 
secure memory has the capacity of several kilobits order, and memorizes a code key. Generally secure 
memory is not volatility but tamper REJISUTANTO. Moreover, secure memory has that it can write [ much 
] in and can carry out the repro gram of the key for every accounting period. Since the secure memory 
capacity of the conventional set top terminal is restricted, the number of the keys memorized will be 
restricted and the number of the packages which a service provider offers will also be restricted. The 
number of the programs which a service provider broadcasts to the accounting period of a moon unit may 
usually be the order of 200,000. 

[0005] The conventional set top terminal has a thing containing bit VEKUTORU which has a bit entry 
corresponding to each package of the program which a service provider offers. If a specific customer is the 
normal addressee of a package, the bit entry in the bit vector memorized in a set top terminal will be set to 
"1." After that, all the programs that a service provider transmits are enciphered by one key. If a program is 
received, a set top terminal will judge whether the bit entry which accesses and corresponds to a bit vector is 
set. If the bit entry is set, as for a set top terminal, a program will be decoded using one memorized code 
machine. 

[0006] Although it seems to a theory top that flexibility is attained by the bit vector method by offering one 
bit entry to each package (a package consisting of one program generally), the die length of a bit vector is 
not practical in the system which transmits many programs to one accounting period. Moreover, the access 
control in such a system is exclusively given by the entry in a bit vector, and is not code-like (cryptographic). 
Therefore, if a customer can write in a bit vector and can set all bits to "1", a customer will be able to access 
all programs. 



[0007] Moreover, a program is divided into each package and there are some as which all the programs in a 
package are enciphered using the same key. Each package corresponds to one television channel. A set top 
terminal memorizes the decode key to each package the customer of whose is a normal addressee. 
Therefore, if a program is included in two or more packages, that program must be broadcast again for 
corresponding each package of every, and will be enciphered in this the transmission of each by the code 
key corresponding to a specific package. Although it is cryptography-like [ an access control ], by the 
overhead about broadcasting programming again repeatedly, it will not be realistic, and will carry out 
arranging the same program as much packages, and flexibility will be restricted in the design of the package 
of a program. 

[0008] although the conventional system which encipher such contents of a program and be transmit be 
comparatively successful about restrict access only to a normal customer , it have not make it possible to 
provide a customer with the package with which a large number which include much programs , without 
make an overhead increase fairly differ , without a service provider like a television network exceed the 
secure memory capacity to which the set top terminal be restricted . The cryptography-approach and 
equipment which restrict access to the contents of transmitting programming to the "Vspace system" 
indicated by the United States patent applications 08/912186 (August 15, 1997 application) are indicated. 
[0009] Each program in a Vspace system is enciphered by the head end server before transmission using the 
program key kP. Each program key is the linearity combination of the set with which the master key M was 
defined. The program identifier which identifies a program is transmitted with the contents of encryption 
programming. A customer's set top terminal can obtain a decode key only from the entitlement information 
recorded on the program identifier p which received, and the front. A Vspace system offers a 
cryptography-access-control mechanism, enabling the package which is supple, without extending a 
program header fairly (only a program identifier being transmitted with a program). It is because it is not 
necessary to broadcast a program again for corresponding each package of every. 
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MEANS 



[Means for Solving the Problem] Generally, the contents of programming enciphered by 1 or two or more 
customers by the service provider using the transmitter thru/or the head end server are transmitted. The 
program identifier p used for identifying a program is transmitted to a customer with the contents of 
programming. Each customer has other devices in which access restricted to transmitting multimedia 
information using the set top terminal thru/or the decode key is given. A set top terminal receives 1 which 
can receive to normal at a period with a customer, or the entitlement information corresponding to the 
package of two or more programs from a head end. 

[0011] Each program is enciphered by the head end server before transmission using the program key kp. 
the program key kp of an individual — the program — unique — making . In addition to transmission of the 
enciphered program, a head end server transmits the program identifier p to a set top terminal. A set top 
terminal obtains a decode key required to decode a program using the program identifier p which received 
with the memorized entitlement information. In this approach, if a customer is the normal user of a specific 
program, a set top terminal can obtain the program key kp enciphered using the information memorized 
and received, and can decode the program enciphered using that program key kp after that. In an example, 
the program identifier p can be interleaved to a part of program, and can be transmitted on a separate 
exclusive control channel. 

[0012] Each of k-bit program key kp used for enciphering a transmitting program can be obtained by 
applying 1 or two or more pseudo-random Hash Functions to a master key m. As an example, Hash 
Function H which doubles die length can be used. Therefore, Hash Function H takes a k bit binary value, 
and makes the binary value of the die length of 2k. The output of Hash Function H can be expressed as pair 
HO of k-bit binary value as HI. Here, HO can be identified as a left half of the output of the Hash Function 
concerned, and HI can be identified as a right half of the output of the Hash Function concerned. 
[0013] As an example, the program key kp can be obtained according to the binary value to which each bit 
position of the program identifier p corresponds by applying recurrently Hash Functions HO or HI to a 
master key. Therefore, if the program identifier p consists of m bits, one side of Hash Functions HO or HI 
will be applied to each bit position of n of the program identifier p according to the bit value to which the 
program identifier p corresponds. First, one side of Hash Functions HO or HI is applied to a master key 
according to the binary value which is the leftmost digit bit of the program identifier p. After that, according 
to the binary value of a corresponding bit, one side of Hash Functions HO or HI is applied to the result of a 
pre- hash operation to each remaining bit position (n-1). Count of the program key kp can be expressed as 
follows. 
[Equation 1] 

K p =H p ,(...H fi (H pi (m))...) 

[0014] Such a hash operation can be expressed in relation to n level binary tree T (called a key tree) by which 
the root 2 master key m of a tree is arranged. A tree is generable by applying Hash Functions HO and HI to 



each node until a desired number of tree-level (n) is made. The program key kp corresponds to the leaf (leaf) 
node in the bottom (bottom) level of a tree. The binary index (the same the program identifier [ And ] p) 
corresponding to each program key kp corresponds to the pass (way) which passes along the key tree from 
the root to a desired leaf node. Therefore, the index thru/or label of Node u is connection of the label on H 
on the pass from the root to Node u. T (u) can calculate any key of the program in subtree T (u) by carrying 
out time (n-r) actuation of the Hash Function to the internal node u (ul, ur) in depth r in the subtree 
which makes Node u the root, i.e., the key tree which has the partial program identifier p showing the set of 
the program identifier p corresponding to the leaf in the subtree of Node u. 
[0015] 

[Embodiment of the Invention] Drawing 1 has shown the network environment which transmits video, an 
audio, and encryption multimedia information like data to 1 or two or more customers who have the set top 
terminals 400-401 through 1 or two or more distribution networks 110 using a transmitter like the head end 
server 300 from a service provider. This head end server 300 argues in relation to drawing 3 in the bottom, 
and argues about the set top terminal 400 in relation to drawing 4 in the bottom. In this specification, a set 
top terminal includes any device in which access restriction is given to the multimedia information 
transmitted using the decode key. For example, a computer configuration and a communication link device 
are included. A service provider may download the software which a set top terminal performs. A network 
110 can be made into the wireless broadcasting network which distributes contents of programming like 
digital satellite service (DSSTM), a cable television network (CATV), a public switching network (PSTN), an 
optical network, ISDN, and a cable network like the Internet. 

[0016] The set top terminal 400 receives entitlement information intermittently from the head end server 300, 
and enables a customer to access the program whose customer is a registered user between a certain time 
intervals (for example, accounting period). In this specification, a package is the set of a predetermined 
program and a certain program can belong to 1 or two or more packages. A program means all of 
continuous multimedia transmission of the episode of television, or specific die length like a movie. 
Entitlement information is downloadable in the set top terminal 400 from the head end server 300 using 
which suitable secure one way or bidirectional protocol. 

[0017] Program key and program identifier each transmitting program is enciphered by the head end server 
300 using the program key kp. This program key kp can be made unique to a program. Suitable encryption 
and a security technique are indicated by reference, B.Schneier, and Applied Cryptography (2d ed.1997). In 
addition to transmission of an encryption program, the head end server 300 also transmits a n bit program 
identifier to the set top terminal 400. This is used by the set top terminal 400 with the memorized entitled 
information, and as shown in a detail, it obtains a decode key required to decode a program in the bottom. 
[0018] The program identifier p is not chosen as arbitration so that the item of the bottom entitled 
assignment of the program identifier to a program may explain. In a desirable example, the program 
identifier p can consist of the 32-bit value transmitted in the ECM field specified to MPEG-2 criterion. In this 
case, if it is the registered user of the program of specification [ a customer ], the set top terminal 400 can 
obtain the program key kp from the information memorized and received, and it can use the program key 
kp so that an encryption program may be decoded after that. 

[0019] According to the further description of this invention, each of the k-bit program key kp used for an 
encryption transmitting program can be obtained by applying 1 or two or more pseudo-random Hash 
Functions to a master key m. Explanation of a suitable pseudo-random Hash Function is indicated by 
reference and O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
[0020] As an example, it is secure in cryptography, and the Hash Function which doubles die length is used 
as follows. 

H: {0, 1) k->{0, l}2k - here, k is the die length of the program key kp. Therefore, Hash Function H takes the 
binary value of k bits, and makes the binary value of die-length 2k. The output of this Hash Function H can 



be expressed as pair HO of a k bit binary value as HI. Here, HO is the left-hand side one half (left-hand side 
digit bit) of the output of Hash Function H, and is H. {1} is the right-hand side one half (right-hand side digit 
bit) of the output of Hash Function H. HO and HI can be called a separate Hash Function. 
[0021] If it is k= 160, H can be specified using secret hash standard SHA-1 which is indicated by reference, 
Secure Hash Standard, National Institute of Standards and Technology, NIST FIPS PUB 180-1, and 
U.S.Dept.of Commerce (April, 1995). That is, HO is set to SHA-1 (x 1 1 0), and HI turns into SHA-1 (x 1 1 1). 
Here, 0 and 1 are the bit strings of all the bit strings 1 of 0 altogether, respectively. 

[0022] The program key kp can be obtained by applying recurrently 1 or two or more Hash Functions to a 
master key m according to the binary value of the program identifier p. As an example, the program key kp 
can be obtained by applying recurrently one side of Hash Functions HO or HI to a master key m according 
to the binary value of each bit position of the program identifier p. Generally, if the program identifier p 
consists of n bits, according to the bit value to which the program identifier p corresponds, one side of Hash 
Functions HO or HI will be applied to each of the bit position of n of the program identifier p (it starts from 
a leftmost bit). 

[0023] One side of Hash Functions HO or HI is first applied to a master key according to the binary value 
which is a leftmost digit bit. After that, according to the binary value which is the bit to which one side of 
Hash Functions HO or HI corresponds, it is applied to the result of pre- hash actuation to each remaining bit 
position (n-1). This hash actuation can be expressed as follows so that the'item of a title called lower "key 
tree" may explain. 
[Equation 2] 

K p =H p ,(...H Pj (H Pi ( m ))...) 

[0024] As mentioned above, the head end server 300 transmits the program identifier p with an encryption 
program. Therefore, if the program identifier p is given, the set top terminal 400 must obtain the program 
key kp used for decode of a receiving agent. As mentioned above, the program key kp can be obtained by 
applying recurrently 1 or two or more Hash Functions to a master key m according to the binary value of 
the program identifier p. The program key kp must be obtained by a customer's set top terminal 400, using 
indirectly the memorized entitlement information and the program identifier p which received which is 
explained in the bottom. 

[0025] As explained on the key tree, the program key kp can be obtained by using recurrently 1 or two or 
more Hash Functions for a master key m according to the binary value of the program identifier p. The k-bit 
single master key m is used. The bit of the program identifier p can be expressed as p= (pi, pn). Here, pi 
is a leftmost digit bit and is a rightmost digit bit. The cryptographic key kp to the program which has the 
program identifier p can be defined as follows. 
[Equation 3] 

K p =H p ^...H pi (H pi (m))...) 

[0026] Hash actuation can be expressed as a perfect n level binary tree T like the key tree 200 shown in 
drawing 2 . The key tree 200 shown in drawing 2 corresponds to the example of mounting which has the 
program identifier p which consists of a triplet. As shown in drawing 2 , a master key m is arranged on the 
root 210 of a tree 200. The program key kp corresponds to a leaf node like leaf nodes 240-247. The index 
corresponding to each program key kp shown in drawing 2 like the index 011 corresponding to the program 
key kp of the DERIFU node 243 shows the pass which lets the key tree 200 from the root 210 to a leaf node 
243 pass. For example, the program key kp of 243 can be obtained by following with the left edge (HO) from 
the root 210, the right edge (HI) from a node 220, and the right edge (HI) from a node 232. That is, HI is 
further applied for HO to the 2nd hash result. The program key kpOH can be obtained. 
[0027] Therefore, the label of a node u like a node 243 is what connected the label on the edge of the pass to 



Node u from the root 210. The label of each node can be specified by the program identifier p. Since the 
subtree which makes Node u the root is expressed, T (u) is used (namely, since the set of the program 
identifier p corresponding to the leaf in the subtree of Node u is expressed). The internal node u in depth r 
in the key tree 200 has the partial program identifier p (ul, ur), and can calculate the key of which 
program in subtree T (u) to these. Any key of the program in the subtree of Node u is calculable by carrying 
out time (n-r) actuation of the Hash Function. Specifically, it uses so that the value of each bit of the low 
digit of (n-r) of the program identifier p may direct suitable Hash Functions HO or HI. Therefore, the 
program key kp corresponding to Node u can function as an entitlement to all the programs in the subtree 
of Node u. 

[0028] If Function H is a pseudo-random generator, mapping kp{0, 1} ->[ n] {0, 1} k of the program key 
which the master key m parameterized is a pseudo-random function. This is indicated by reference, and 

0. Goldreich et al. and "How toConstruct Random Functions" J.ACM and 33:792-807 (1986). 

[0029] System component drawing 3 is the block diagram showing the head end server's 300 AKI theque 
char. A head end shall be related with the service provider of the arbitration which transmits a television 
network, a cable employment person, a digital satellite service employment person, or the contents of 
encryption programming, the head end server 300 ~ for example, IBM ~ it can mount with RS6000 server 
which Corp(s) and manufactures, and the function and actuation of this invention can be performed. The 
head end server 300 is equipped with related memory like a processor 310 and the data storage device 320. 
A processor 310 may be mounted as a single processor and may be mounted as some processors which 
operate to juxtaposition. The data storage device 320 and ROM are made to memorize 1 or two or more 
instructions, and a processor 310 enables it to perform by taking out and interpreting. 
[0030] As mentioned above, the data storage device 320 is equipped with the master key database 350 which 
memorizes a master key m. For example, a master key m can be updated like [ for every accounting period 

1. Moreover, the data storage device 320 has the program database 500 so that it may explain in relation to 
drawing 5 in the bottom. The program database 500 presents the program identifier p and the related 
package corresponding to each program, moreover, drawing 7 R> - the data storage device 320 has the 
entitlement information delivery process 700 and the program delivery process 800 so that it may explain in 
relation to 7 and 8. 

[0031] Generally, the entitlement information delivery process 700 generates and distributes the entitlement 
information which each customer needs to accessing the program which is a registered user. Moreover, the 
program delivery process 800 obtains the program key kp based on the program identifier p assigned to the 
program, in order to encipher a program and to transmit by the program identifier p. 
[0032] The communication link port 330 links the head end server 300 to each connected receiver like the set 
top terminal 400 which showed the head end server 300 to the network 110 at a bond and drawing 1 . 
[0033] Drawing 4 is the block diagram showing the AKI theque char of the set top terminal 400. The set top 
terminal 400 can be mounted as a set top terminal (SIT) corresponding to television, and it can be changed 
so that the function and actuation of this invention may be performed. The set top terminal 400. is equipped 
with a processor 410 and memory like data storage 420, and the communication link port 430, and operates 
by the same approach as the above hardware relevant to drawing 3 . 

[0034] Data storage 420 is equipped with the entitlement database 600 memorizable into the secure part of 
data storage 420 so that it may explain in relation to drawing 6 in the bottom. The entitlement database 600 
contains the part of the key tree 200 required in order that a customer may get the program key kp to the 
program which has an entitlement. Moreover, data storage 420 is equipped with Hash Functions HO and HI 
(440). Moreover, data storage 420 includes the decoding process 900 so that it may explain in relation to 
drawing 9 in the bottom. Generally, using the program identifier p received in order to obtain the program 
key kp, and the memorized entitlement information 600, in order to decode a program, the program key kp 
is used for the decoding process 900, and it decodes the program whose customer has an entitlement. 



[0035] Drawing 5 shows the program database 500 which memorizes information on each program p 
transmitted by the head end server 300. This information is transmitted to for example, an accounting 
period with the program identifier p to which that program belongs and which packs and corresponds, the 
program database 500 holds two or more decodings like records 505-520. These are related with a different 
program, respectively. The program database 500 contains the program identifier p which corresponds in 
the field 535 including directions of the corresponding package with which the program belongs in the field 
530 to each program identifier identified by the program name in the field 525. 

[0036] Drawing 6 shows the entitlement database 600 containing the part of the key tree 200 required for a 
customer to get the program key kp to the program which has an entitlement. As mentioned above, T (u) 
expresses the set of the program identifier p corresponding to the leaf nodes 240-247 in the subtree which 
makes Node u the root, i.e., the subtree of Node u. For example, supposing a customer has an entitlement 
about receiving four programs corresponding to leaf nodes 240-243, entitlement information will consist of a 
middle key corresponding to a node 220. In this approach, if needed, suitable Hash Functions HO and HI 
(440) can be used in order to obtain the program key kp to each nodes 230, 232, 240-243 in the subtree of a 
node 220. 

[0037] The entitlement database 600 shown by drawing 6 is a registered user who receives four programs 
corresponding to leaf nodes 240-243 (there is an entitlement), and is a registered user who receives two 
programs corresponding to leaf nodes 246-247. Therefore, the entitlement information recorded on the 
entitlement database 600 consists of a middle key corresponding to a node 220 and a node 236. nodes 220 
and 236 — it is alike, respectively, and it receives, and the entitlement information recorded on the 
entitlement database 600 has the middle key values kio and kill, respectively, and has corresponding 
directions of the partial program identifier p. The approach by which the entitlement database 600 is 
generated by the entitlement information delivery process 700 based on the package of the program which 
the customer chose is explained in relation to drawing 7 in the bottom. 

[0038] A small entitlement is establishable to the set of many programs of various sizes using the tree 
method of program packaging this invention. The target set S is established using the set of the program 
packed. The minimum set of a tree node with which a subtree covers the target set S correctly is obtained as 
follows. 
[Equation 4] 

, T(S) = Z c7 fcfcu (jT(u) = S s fa \Z\ [*«/J* 

[0039] The entitlement information over Package S is the set ki of the middle key held in the node of T (S). 
As shown in a top, the set top terminal 400 decodes the program in S (accepting it) correctly with the set of 
this key. Theoretically, the tree method of this invention can build the entitlement information over the 
target set S of which arbitration, furthermore - however, if the program identifier p is assigned to 
arbitration, entitlement information will become so large that it is not allowed for the secure memory to 
which the set top terminal 400 was restricted. 

[0040] a process — as mentioned above, the head end server 300 performs the entitlement information 
delivery process 700 shown in drawing 7 , and generates and distributes the entitlement database 600 
required for each user in order to access the program which is a registered user. As mentioned above, the 
entitlement database 600 consists of corresponding directions and the corresponding middle key value ki of 
a partial program identifier to each node of the key tree 200 required for a customer to get the program key 
kp to the program which is a registered user. 

[0041] Therefore, the entitlement information delivery process 700 identifies first the program which the 
customer chose (710). After that, the entitlement information delivery process 700 finds minimum set [ of a 
tree node ] T (S). The subtree covers the target set S correctly. The target set S is disassembled to the 



maximum De Dis joint interval of the KONSEKYUTIBU program identifier p (720). Two program identifiers 
p are considered to be KONSEKYUTIBU when the integer over the binary expression is KONSEKYUTIBU. 
[0042] And covering T (S) is found to each interval (730). The corresponding partial program identifier p 
held in the node of covering T (S) to Set ki and each interval of a middle key is generated (740). At the end, 
the generated entitlement information downloads to the set top terminal 400 with the head end server 300 
(750), and program control is completed (760). 

[0043] The number of the intervals in the target set S can be set to I (S). In order to calculate covering T (S) to 
the single interval of the program identifier p to the order of the tree node of n, the key tree 200 of depth n 
must be asked. Therefore, the time amount complexity of the entitlement information delivery process 700 
serves as order of I(S) -n. Similarly, the magnitude of minimum covering T (S) serves as order of I(S) -n. The 
program identifier p which enables the program of related contents to carry out packaging of them 
efficiently should be assigned. In an example, a fundamental package is the gestalt of all the program 
identifiers p that have the bit prefix mu. 

[0044] The entitlement of such a single topic package is a single key in the key tree 200. Moreover, a 
multi-topic package can be assembled without a side effect. Entitlement information is only the set of a key 
to each TOPICS which consists of a multi-TOPICS package. According to this invention, the package 
specified by Prefix mu does not force to the set top terminal 400 so that a program may be decoded using 
zero prefix of the same die length. 

[0045] As mentioned above, the head end server 300 performs the program delivery process 800 shown in 
drawing 8 , and in order to decode a program and to transmit using the program identifier p, he gets the 
program key kp based on the program identifier p assigned to the program and the master key m. The 
program delivery process 800 is important for performing in off-line thru/or the real time except an actual 
transmitting step. As shown in drawing 8 , the program delivery process 800 starts the process using the 
principle of this invention by identifying the program which should be transmitted (810). 
[0046] After that, the program delivery process 800 takes out the program identifier p corresponding to the 
program from the program database 500 (820), and calculates the program key kp corresponding to the 
program (830). And a program is enciphered using the program key kp calculated at the front step (840). 
Finally, the program delivery process 800 transmits the program enciphered with the program identifier p 
(850), and program control ends it (860). 

[0047] It is important to suppose that it is possible to obtain the program key kp required for the program 
identifier p to be interleaved periodically, able to transmit it through transmission of program information, 
and for a customer change a channel at the time of a program, and decode a program. In another example, 
the program identifier p can be continuously transmitted on another control channel like a Barker channel. 
[0048] As mentioned above, the set top terminal 400 performs the decoding process 900 shown in drawing 9 
, using the entitlement information 600 and the received program identifier p memorized in order to obtain 
the program key kp, in order to decode the program, the program key kp is used and a customer decodes 
the program by which the entitlement is carried out. As shown in drawing 9 , the decoding process 900 
starts the process which used the principle of this invention on the occasion of the reception of the customer 
directions made to tune up to a specific channel (910). 

[0049] After that, the set top terminal 400 receives the suitable signal containing the enciphered program 
identifier p which was programmed and transmitted (920). The decoding process 900 takes out the 
entitlement information memorized from the entitlement database 600 (930). It judges whether the 
transmitted program is included (940). When the entry which has the partial-program identifier p which 
agrees in the leftmost digit bit of the receiving-agent identifier p at step 940 is judged not to exist in the 
entitlement database 600, a customer does not have an entitlement to the selected program and program 
control is ended (980). 

[0050] However, if an entry exists in the entitlement database 600 which has the partial-program identifier p 



corresponding to the leftmost digit bit of the received program identifier p, a customer has an entitlement to 
the selected program. Therefore, the program key kp is calculated using the middle key ki taken out from 
the entry of the entitlement database 600 (960). Specifically, the program key kp is calculated by operating 
suitable Hash Functions HO or HI so that each value of the bit of the low (n-r) order of the program 
identifier p may direct as follows. 
[Equation 5] 

[0051] Finally, the program is decoded using the obtained program key kp (970), and ends program control 
(980). When the received program is not a part of a customer's entitlement here, it is important that there is 
no entitlement information which has the partial identifier p corresponding to the low bit of the program 
identifier p which received with the transmitting program in the entitlement database 600. 
[0052] The decoding process 900 obtains a decode key, or moreover, as mentioned above Before a customer 
judges whether there is any entitlement to a demand channel In order that it can wait for a customer to 
demand a specific channel and the decoding process 900 may obtain the transmitting program identifier p 
instead, all channels are scanned periodically. It is important that the decode key to the storage in data 
storage 420 can be obtained, and a customer's entitlement can be judged beforehand again. 
[0053] a suitable Hash Function - as mentioned above, if Hash Function H is a pseudo-random bit 
generation machine, it can prove that mapping of p->kp is a pseudo-random function. Therefore, a code key 
cannot be predicted if actual Hash Function H is strong in cryptography. Therefore, if a piracy person has 
access only to encryption program broadcasting, it will not be able to break through a code in the 
knowledge about the key generated using the tree method of this invention. Therefore, only one concerns 
only become ensuring that video encryption algorithm can oppose to a well-known plain text attack. 
[0054] Hash Function H should hold two properties. Calculating Input x has that it must be difficult noting 
that the one half HO of an image (x) or HI (x) is given to the 1st to Hash Function H. Though this knows the 
image of both these one half, it is actually materialized also to the cryptography-hash [ which ] H with it 
difficult [ to carry out an inverted arch ]. Moreover, though HI (x) was known, it must be difficult to 
calculate HO (x), and the reverse of a thing is also the same. Even if it is difficult fundamentally to carry out 
the inverted arch of the function H, when the key of one one half is known, it becomes easier to complete 
the key of the remaining one half. If that is right, the piracy person who knows Program kp to Node u can 
calculate the key to the SHIBURINGU (sibling: sibling) node v, and can calculate the key to all the programs 
in the subtree of Node v. 

[0055] As one advantage of the tree method according to this invention, merge of an entitlement carried out 
in piracy may be made in inefficient. Pair pi, p2, and those ********** G f a SHIBURINGU program are 
considered. A piracy person assumes that the program key kp corresponding to the programs pi and p2 of 
both which are two one half of H (kp (u)) is known. A piracy person still cannot do the inverted arch of the 
H, and cannot calculate kp (u). It is because H is a cryptography-Hash Function. Therefore, the entitlement 
carried out in the merged piracy must contain both kp (pi) and kp (p2) instead of compact kp (u). therefore, 
it is not a strategy good for a piracy person to divide to two or more set top terminals 400 which use a 
CHIPU (it is - although - it differs) entitlement. It is because a union ****** entitlement becomes very large. 
[0056] As mentioned above, the suitable pseudo-random Hash Function is indicated by reference, and 
O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
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[Procedure revision] 

[Filing Date] August 13, Heisei 14 (2002. 8.13) 

[Procedure amendment 1] 

[Document to be Amended] Specification 

[Item(s) to be Amended] Claim 

[Method of Amendment] Modification 

[Proposed Amendment] 

[Claim(s)] 

[Claim 1] It is the approach of transmitting the program which can carry out access restriction to an end 
user, 

(A) The step which assigns the program identifier which has a binary value to said program, 

(B) The step which defines at least one master key, 



(C) The step which enciphers said program by using the program key obtained by applying at least one 

Hash Function to said master key based on the binary value of said program identifier, 
" (D) The approach characterized by having the step which sends said enciphered program to said end user 

with said program identifier. 
: [Claim 2] Said program identifier is an approach according to claim 1 characterized by applying one of said 

the Hash Functions to each location of h bits of said program identifier according to the bit value to which it 
^ becomes from n bits and said program identifier corresponds. 

;.: [Claim 3] (E) The approach according to claim 1 characterized by having further the step which provides 
I said end user with entitlement information based on the set of the program acquired by said end user. 
| [Claim 4] The approach according to claim 3 characterized by including some key trees based on the set of 
k the program acquired by said end user in said entitlement information. 

i* [Claim 5] Said end user is an approach according to claim 3 characterized by using said program identifier 
; in order to obtain said program key from said memorized entitlement information. 
I [Claim 6] Said program identifier is an approach according to claim 1 characterized by interleaving with 
J transmission of said encryption program. 

. [Claim 7] Said program identifier is an approach according to claim 1 characterized by being transmitted on 
i a control channel. 

f [Claim 8] It is the approach of transmitting a program to two or more end users, 

(A) The step enciphered using the program key obtained by applying a Hash Function to the master key 
i based on the binary value of each bit position of said program identifier for the program which has a 
| program identifier recurrently, 

i(B) The approach characterized by having the step which transmits the enciphered program and said 
Program identifier to said end user. 

|[Claim 9] It is the approach of transmitting the program corresponding to at least one program package to 
Itwo or more end users, 

1|A) The step which provides said end user with entitlement information based on the set of the program 
I acquired by said end user, 

|(B) The step enciphered using the program key obtained by applying a Hash Function to the master key 
pbased on the binary value of each bit position of said program identifier for the program which has a 
} program identifier recurrently, 

!.-• (C) It has further the step which transmits said program identifier to said end user with the enciphered 
Iprogram, 

It is the approach characterized by obtaining said program key from the entitlement information said end 
f user Was remembered to be when said end user was a just user of said program. 
; [Claim 10] It is the approach of decoding the enciphered program, 

(A) The step which receives the entitlement information which contains at least one middle key from a key 
tree based on the set of the program which said customer acquired from the provider of said program, 

(B) The encryption program enciphered by the program key, and the step which receives a program 
identifier, 

(C) The step which obtains said program key from the part said program identifier and said key tree were 
remembered to be, 

(D) The approach characterized by having the step which decodes said encryption program using said 
program key. 

[Claim 11] Said program identifier consists of n bits, 

It is the approach according to claim 10 which said master key is arranged on the root of said key tree, and is 
characterized by generating said key tree when said key tree applies a Hash Function to each node until the 
tree level of n is made. 



[Claim 12] It is the approach of decoding the enciphered program, 

(A) The step which receives the entitlement information which contains at least one middle key from the key 
tree based on the set of the program which a customer acquires from the provider of said program, 

(B) The encryption program enciphered by the program key, and the step which receives a program 
identifier, 

(C) The step which obtains said program key from the part the key tree was remembered to be from said 
program identifier and said middle key by applying a Hash Function to said middle key recurrently based 

i on the binary value of said program identifier, 

; (D) The approach characterized by having the step which decodes said encryption program using said 
program key. 
! [Claim 13] Said program identifier consists of n bits, 

i It is the approach according to claim 12 which said middle key corresponds to the intermediate node in the 
, level r of said key tree, and is characterized by carrying out n-r time application of said Hash Function at 
j said middle key. 

[Claim 14] It is the system which transmits the program which restricts access to an end user, 
j (A) Memory which memorizes a master key and a computer readout possible code, 
[(B) It has the processor connected with said memory in actuation, and this processor, 
I (a) Assign the program identifier which has a binary value to said program, 

(b) Define at least one master key, 
j (c) Encipher said program using a program key by applying at least one Hash Function to said master key 
''based on the binary value of said program identifier, 

! (d) The system characterized by constituting so that an encryption program may be transmitted to Said end 
I user with said program identifier. 
[Claim 15] It is the system which transmits the program to which access to an end user was restricted, 

(A) Memory which memorizes a master key and the code which can be computer read, 

(B) It has the processor connected with said memory on actuation, 
Said processor, 

(a) Encipher this program that has a program identifier using the program key obtained by applying a Hash 
j; Function to a master key recurrently based on the binary value of each bit position of said program 
: identifier, 

? (b) The system characterized by constituting so that this program enciphered by said end user and said 
program identifier may be transmitted. 

[Claim 16] It is the system which decodes the enciphered program, 

(A) Memory which memorizes a master key and the code which can be computer read, 

(B) It has the processor connected with said memory on actuation, and is said processor, 

(a) Receive the entitlement information containing the part of the key tree based on the set of the program 
acquired by said customer from the provider of this program, 

(b) Receive the encryption program enciphered by the program key and a program identifier, 

(c) Obtain said program key from said part said program identifier and said key tree were remembered to 
be, ... 

(d) The system characterized by constituting so that said encryption program may be decoded using said 
program key. 

[Claim 17] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read, and this means that can be computer read is at the time of operation, 

(a) Assign the program identifier which has a binary value to a program, 

(b) Define at least one master key, 

(c) Encipher this program using the program key obtained by applying at least one Hash Function to said 



master key based on the binary value of said program identifier, 

(d) The medium which is characterized by transmitting this program enciphered with said program 
identifier to an end user and which can be computer read. 

[Claim 18] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read, and this means that can be computer read is at the time of operation, 

(a) Receive the entitlement information containing the part of the key tree based on the set of the program 
j, acquired by said customer from the provider of this program, 

(b) Receive the encryption program enciphered by the program key and a program identifier, 

(c) Obtain said program key from said part said program identifier and said key tree were remembered to . 
be, 

(d) The medium which is characterized by decoding said encryption program using said program key and 
. which can be computer read. 



f [Translation done.] 



